Security observability on Linux with Wazuh and Tetragon
September 30, 2025
Gunra ransomware is a recently identified threat that has been observed targeting Windows endpoints across multiple industries worldwide, including manufacturing and energy sectors. Known for its encryption capabilities and exfiltration tactics, the ransomware follows a double-extortion model, encrypting victim data while simultaneously threatening to leak stolen information on its Tor-hosted leak site. Gunra’s malicious behavior includes enumerating running processes, deleting shadow copies through Windows Management Instrumentation (WMI), gathering system details, and detecting debuggers to evade analysis.
The Gunra ransomware has expanded attacks to healthcare, electronics, and beverage firms. Its new variant appends .encrt
to files and drops r3adm3.txt
ransom notes, warning victims their data is encrypted and stolen, with leaks threatened in five days. Victims are directed to a Tor-based portal for ransom negotiations, underscoring the group’s double-extortion tactics.
In this blog post, we illustrate how organizations can detect and respond to Gunra ransomware on infected Windows endpoints.
Gunra ransomware exhibits several behaviors when it infects a Windows endpoint. These behaviors include the following:
R3ADM3.txt
” in every directory where the ransomware encrypts files..ENCRT
” to them. Hash (SHA256) |
a82e496b7b5279cb6b93393ec167dd3f50aff1557366784b25f9e51cb23689d9 |
854e5f77f788bbbe6e224195e115c749172cd12302afca370d4f9e3d53d005fd |
We use the following infrastructure to demonstrate the detection of Gunra ransomware with Wazuh:
We use Sysmon to enhance visibility into system events and create custom detection rules on the Wazuh server to identify the malicious behavior associated with Gunra ransomware.
Perform the following steps to configure the Wazuh agent to capture Sysmon events and send them to the Wazuh server for analysis.
1. Download Sysmon from the Microsoft Sysinternals page.
2. Extract the compressed Sysmon file to your preferred directory.
3. Download the Sysmon configuration file sysmonconfig.xml using PowerShell as an administrator. Replace <SYSMON_EXECUTABLE_PATH>
with the directory path to your Sysmon executable.
> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml
4. Navigate to the folder containing the Sysmon executable. Run the command below to install and start Sysmon using PowerShell with Administrator privileges:
> .\Sysmon64.exe -accepteula -i sysmonconfig.xml
5. Add the following configuration to the C:\Program Files (x86)\ossec-agent\ossec.conf
file within the <ossec_config>
block to capture and forward Sysmon event logs to the Wazuh server:
<localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile>
6. Restart the Wazuh agent to apply the configuration changes:
> Restart-Service -Name wazuh
Perform the following steps on the Wazuh dashboard to configure the Wazuh server for Gunra ransomware detection.
Perform the steps below on the Wazuh dashboard to create and configure custom rules for processing and monitoring logs generated from the Windows endpoint.
1. Navigate to Server management > Rules.
2. Click + Add new rules file.
3. Copy and paste the rules below and name the file gunra_ransomware_rules.xml
. Click Save.
<group name="gunra,ransomware,"> <!-- Ransom note file creation --> <rule id="100601" level="15" timeframe="100" frequency="2" ignore="100"> <if_sid>61613</if_sid> <field name="win.eventdata.Image" type="pcre2">[^"]+\.exe</field> <field name="win.eventdata.targetFilename" type="pcre2">[^"]*R3ADM3\.txt</field> <description>Possible Gunra ransomware activity detected: Multiple ransom notes dropped in $(win.eventdata.targetFilename)</description> <mitre> <id>T1543.003</id> <id>T1486</id> </mitre> </rule> <!-- Antimalware Scan Interface Access Modification --> <rule id="100602" level="7"> <if_sid>61609</if_sid> <field name="win.eventdata.Image" type="pcre2">C:\\\\Windows\\\\System32\\\\VSSVC\.exe</field> <field name="win.eventdata.ImageLoaded" type="pcre2">C:\\\\Windows\\\\System32\\\\amsi\.dll</field> <description>Possible ransomware activity detected: Suspicious Volume Shadow copy Service (VSS) loaded amsi.dll for tampering and evasion attempt.</description> <mitre> <id>T1562</id> <id>T1562.001</id> </mitre> </rule> <rule id="100603" level="7"> <if_sid>61609</if_sid> <field name="win.eventdata.Image" type="pcre2">(C:\\\\Windows\\\\SystemApps\\\\Microsoft\.Windows\.AppRep\.ChxApp_cw5n1h2txyewy\\\\CHXSmartScreen\.exe)</field> <field name="win.eventdata.ImageLoaded" type="pcre2">C:\\\\Windows\\\\System32\\\\urlmon\.dll</field> <description>Possible ransomware activity detected: Urlmon.dll was loaded, indicating network reconnaissance.</description> <mitre> <id>T1562.001</id> </mitre> </rule> <!-- Volume Shadow copy Service (VSS) deletion --> <rule id="100604" level="7"> <if_sid>60103</if_sid> <field name="win.eventdata.targetUserName" type="pcre2">Backup Operators</field> <field name="win.eventdata.targetSid" type="pcre2">S-1-5-32-551</field> <field name="win.eventdata.callerProcessName" type="pcre2">C:\\\\Windows\\\\System32\\\\VSSVC\.exe</field> <description>Possible Gunra ransomware activity detected: Volume Shadow copy Service (VSS) deletion attempts, gearing up to disable backups.</description> <mitre> <id>T1562</id> <id>T1562.002</id> </mitre> </rule> <rule id="100605" level="7"> <if_sid>60103</if_sid> <field name="win.eventdata.targetUserName" type="pcre2">Administrators</field> <field name="win.eventdata.targetSid" type="pcre2">S-1-5-32-544</field> <field name="win.eventdata.callerProcessName" type="pcre2">C:\\\\Windows\\\\System32\\\\VSSVC\.exe</field> <description>Possible Gunra ransomware activity detected: Volume Shadow copy Service (VSS) deletion shadow attempts, gearing to disable local admin accounts</description> <mitre> <id>T1562</id> <id>T1562.002</id> </mitre> </rule> </group>
Where:
100601
is triggered when a Gunra ransomware ransom note R3ADM3.txt
is created.100602
is triggered when a suspicious Volume Shadow Copy Service (VSS) loads amsi.dll
for tampering and evasion attempts.100603
is triggered when urlmon.dll
is loaded, indicating network reconnaissance.100604
is triggered when Volume Shadow Copy Service (VSS) deletion is attempted, gearing up to disable backups.100605
is triggered when Volume Shadow Copy Service (VSS) deletion is attempted, gearing up to local admin accounts.4. Click Reload to apply the changes.
The alerts below are generated on the Wazuh dashboard when Gunra ransomware is executed on a Windows endpoint. Perform the following steps to view the alerts on the Wazuh dashboard.
1. Navigate to Agents management > Summary and select the Windows agent.
2. Click on Threat Hunting and select the Events tab.
3. Click + Add filter. Then filter for rule.groups
in the Field field. Select is one of
the Operator field.
4. Add the filters gunra
and ransomware
in the Values field.
5. Click Save.
VirusTotal is a platform that aggregates multiple antivirus products and online scan engines to detect security threats. It provides an API that allows users to query URLs, IP addresses, domains, or file hashes for threat analysis. By integrating VirusTotal with Wazuh, you can configure Wazuh to automatically send file hashes of newly created or modified files on monitored endpoints to the VirusTotal API for real-time threat detection.
For this integration, we configure the Wazuh File Integrity Monitoring(FIM) module and VirusTotal to detect and scan files that are added or modified in specific directories on the Windows endpoint. Additionally, we configured the Wazuh Active Response module to delete the files that VirusTotal identifies as malicious automatically.
<syscheck>
block in the C:\Program Files (x86)\ossec-agent\ossec.conf
file to monitor for changes. In this blog post, we configure the FIM module to monitor the Downloads
folder for all users.<directories realtime="yes">C:\Users\*\Downloads</directories>
> Restart-Service -Name wazuh
We create an active response script to remove any known variant of Gunra ransomware immediately after VirusTotal identifies it as a threat.
remove-threat.py
, on the Windows endpoint with the following content:Warning: This script is a proof of concept (PoC). Review and validate it to ensure it meets the operational and security requirements of your environment |
# Copyright (C) 2015-2025, Wazuh Inc. # All rights reserved. import os import sys import json import datetime import stat import tempfile import pathlib if os.name == 'nt': LOG_FILE = "C:\\Program Files (x86)\\ossec-agent\\active-response\\active-responses.log" else: LOG_FILE = "/var/ossec/logs/active-responses.log" ADD_COMMAND = 0 DELETE_COMMAND = 1 CONTINUE_COMMAND = 2 ABORT_COMMAND = 3 OS_SUCCESS = 0 OS_INVALID = -1 class message: def __init__(self): self.alert = "" self.command = 0 def write_debug_file(ar_name, msg): with open(LOG_FILE, mode="a") as log_file: log_file.write(str(datetime.datetime.now().strftime('%Y/%m/%d %H:%M:%S')) + " " + ar_name + ": " + msg +"\n") def setup_and_check_message(argv): input_str = "" for line in sys.stdin: input_str = line break msg_obj = message() try: data = json.loads(input_str) except ValueError: write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format') msg_obj.command = OS_INVALID return msg_obj msg_obj.alert = data command = data.get("command") if command == "add": msg_obj.command = ADD_COMMAND elif command == "delete": msg_obj.command = DELETE_COMMAND else: msg_obj.command = OS_INVALID write_debug_file(argv[0], 'Not valid command: ' + command) return msg_obj def send_keys_and_check_message(argv, keys): keys_msg = json.dumps({"version": 1,"origin":{"name": argv[0],"module":"active-response"},"command":"check_keys","parameters":{"keys":keys}}) write_debug_file(argv[0], keys_msg) print(keys_msg) sys.stdout.flush() input_str = "" while True: line = sys.stdin.readline() if line: input_str = line break try: data = json.loads(input_str) except ValueError: write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format') return OS_INVALID action = data.get("command") if action == "continue": return CONTINUE_COMMAND elif action == "abort": return ABORT_COMMAND else: write_debug_file(argv[0], "Invalid value of 'command'") return OS_INVALID def secure_delete_file(filepath_str, ar_name): filepath = pathlib.Path(filepath_str) # Reject NTFS alternate data streams if '::' in filepath_str: raise Exception(f"Refusing to delete ADS or NTFS stream: {filepath_str}") # Reject symbolic links and reparse points if os.path.islink(filepath): raise Exception(f"Refusing to delete symbolic link: {filepath}") attrs = os.lstat(filepath).st_file_attributes if attrs & stat.FILE_ATTRIBUTE_REPARSE_POINT: raise Exception(f"Refusing to delete reparse point: {filepath}") resolved_filepath = filepath.resolve() # Ensure it's a regular file if not resolved_filepath.is_file(): raise Exception(f"Target is not a regular file: {resolved_filepath}") # Perform deletion os.remove(resolved_filepath) def main(argv): write_debug_file(argv[0], "Started") msg = setup_and_check_message(argv) if msg.command < 0: sys.exit(OS_INVALID) if msg.command == ADD_COMMAND: alert = msg.alert["parameters"]["alert"] keys = [alert["rule"]["id"]] action = send_keys_and_check_message(argv, keys) if action != CONTINUE_COMMAND: if action == ABORT_COMMAND: write_debug_file(argv[0], "Aborted") sys.exit(OS_SUCCESS) else: write_debug_file(argv[0], "Invalid command") sys.exit(OS_INVALID) try: file_path = alert["data"]["virustotal"]["source"]["file"] if os.path.exists(file_path): secure_delete_file(file_path, argv[0]) write_debug_file(argv[0], json.dumps(msg.alert) + " Successfully removed threat") else: write_debug_file(argv[0], f"File does not exist: {file_path}") except OSError as error: write_debug_file(argv[0], json.dumps(msg.alert) + "Error removing threat") except Exception as e: write_debug_file(argv[0], f"{json.dumps(msg.alert)}: Error removing threat: {str(e)}") else: write_debug_file(argv[0], "Invalid command") write_debug_file(argv[0], "Ended") sys.exit(OS_SUCCESS) if __name__ == "__main__": main(sys.argv)
The active response Python script handles the removal of the malicious file using the os.remove()
function:
os.remove(msg.alert["parameters"]["alert"]["data"]["virustotal"]["source"]["file"])
Note
This step is optional if Python is installed on the Windows endpoint.
Pyinstaller
using PowerShell:> pip install -U pyinstaller
remove-threat.py
is located and convert the file to an executable file with the following command:> pyinstaller -F remove-threat.py
remove-threat.exe
, from the \dist
folder under your current working directory to the C:\Program Files (x86)\ossec-agent\active-response\bin
folder.> Restart-Service -Name wazuh
Perform the following steps on the Wazuh dashboard to configure the Wazuh server to scan the Gunra ransomware executable files with VirusTotal:
<API_KEY>
variable with your VirusTotal API key to scan the Gunra ransomware executable files with VirusTotal:. <ossec_config> <integration> <name>virustotal</name> <api_key><API_KEY></api_key> <!-- Replace with your VirusTotal API key --> <rule_id>554,550</rule_id> <alert_format>json</alert_format> </integration> </ossec_config>
The FIM rule IDs 554
and 550
detect file addition and modification events, respectively.
<ossec_config> <command> <name>remove-threat</name> <executable>remove-threat.exe</executable> <timeout_allowed>no</timeout_allowed> </command> <active-response> <disabled>no</disabled> <command>remove-threat</command> <location>local</location> <rules_id>87105</rules_id> </active-response> </ossec_config>
gunra_ransomware_rules.xml
file.gunra_ransomware_rules.xml
file to generate alerts when the Wazuh Active Response module successfully removes the malicious files. Click Save.<group name="virustotal,"> <rule id="100611" level="12"> <if_sid>657</if_sid> <match>Successfully removed threat</match> <description>$(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file)</description> </rule> <rule id="100612" level="12"> <if_sid>657</if_sid> <match>Error removing threat</match> <description>Error removing threat located at $(parameters.alert.data.virustotal.source.file)</description> </rule> </group>
Where:
100611
generates an alert when the Wazuh Active Response module successfully removes the Gunra ransomware.100612
generates an alert when the Wazuh Active Response module fails to remove the Gunra ransomware.When a variant of Gunra ransomware is downloaded to the victim’s Downloads
folder, Wazuh generates alerts and promptly initiates an active response to remove the malicious file. The screenshot below shows that the Wazuh FIM module detects the file addition, which VirusTotal confirms as malicious, triggering Wazuh to take an automated response. Follow these steps to view these alerts:
rule.id
.is one of
.100611
, 100612
, 553
, 554
, 550
, and 87105
in the Values field.Wazuh provides various capabilities for detecting and responding to malware. This blog post highlights how to detect Gunra ransomware activities on a monitored Windows endpoint with Wazuh. We integrated Sysmon with Wazuh to enrich logs from the infected endpoint and created Wazuh detection rules to identify malicious behaviour associated with Gunra ransomware. We also demonstrated how to use the Wazuh FIM and Active Response capabilities with VirusTotal integration to respond to threats.
Consult the Wazuh documentation to refine your setup or explore the capabilities of Wazuh. Feel free to join our community, where our team and other Wazuh users are available to assist you with any questions related to Wazuh.