CloudSEK’s threat intelligence team has just published an in-depth investigation into Gunra, a rapidly emerging Ransomware-as-a-Service (RaaS) operation that has formalized its affiliate recruitment on the dark web.
What makes this report significant is that their researchers successfully infiltrated the affiliate program, gaining access to:
- The live RaaS management panel
- Affiliate documentation (operator guide)
- A functional ransomware locker sample for full reverse engineering
Key findings include:
- Gunra operates a professionalized RaaS business model, lowering the barrier for cybercriminals through structured affiliate onboarding.
- The locker uses a ChaCha20 + RSA-4096 hybrid encryption model, making decryption cryptographically infeasible without attacker-controlled private keys.
- The malware executes fully offline, bypassing network-based detection during encryption.
- It implements multi-threaded parallel encryption, enabling rapid filesystem-wide impact within minutes.
- The ransomware performs surgical targeting, excluding system directories (C:\Windows, Program Files) to maintain operability and ensure ransom payment.
- Embedded Tor payment infrastructure and hardcoded credentials streamline victim-to-operator communication.
- Complete MITRE ATT&CK mapping and actionable IOCs are included for defenders.
This report provides rare insight into both the business infrastructure and technical core of a growing RaaS operation.
Full report: https://www.cloudsek.com/blog/inside-gunra-raas-from-affiliate-recruitment-on-the-dark-web-to-full-technical-dissection-of-their-locker
Like this:
Like Loading...
Related
This entry was posted on February 11, 2026 at 8:53 am and is filed under Commentary with tags CloudSEK. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Inside Gunra RaaS – Dark Web Affiliate Infiltration & Technical Dissection
CloudSEK’s threat intelligence team has just published an in-depth investigation into Gunra, a rapidly emerging Ransomware-as-a-Service (RaaS) operation that has formalized its affiliate recruitment on the dark web.
What makes this report significant is that their researchers successfully infiltrated the affiliate program, gaining access to:
Key findings include:
This report provides rare insight into both the business infrastructure and technical core of a growing RaaS operation.
Full report: https://www.cloudsek.com/blog/inside-gunra-raas-from-affiliate-recruitment-on-the-dark-web-to-full-technical-dissection-of-their-locker
Share this:
Like this:
Related
This entry was posted on February 11, 2026 at 8:53 am and is filed under Commentary with tags CloudSEK. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.