Gunra Ransomware Strikes American Hospital Dubai

On June 4, 2025, the American Hospital Dubai (AHD) became the target of a significant cyberattack executed by the Gunra Ransomware Group. The threat actor claimed to have exfiltrated and encrypted 450 million patient records, totaling around 4 TB of uncompressed data. The group threatened public exposure of the stolen data by June 8, 2025, using dark web leak sites to escalate pressure.

Severity Level: Critical

Breach Details

The breach impacts a major UAE private healthcare institution, a 254-bed facility offering services in over 40 medical specialties. The hospital has not officially responded to inquiries as of the latest update.

Exfiltrated Data Includes:

• Personal and demographic patient data
• Credit card information
• Emirates ID numbers
• Clinical records (e.g., diagnosis, treatment plans)
• Internal financial data (e.g., payroll, billing records)
• Billing histories

The exposed financial and national ID data poses serious legal and regulatory risks due to the UAE’s stringent cybersecurity laws.

Lessons Learned:

• The exposure of 450M records suggests excessive data retention. Organizations must implement strict data lifecycle and minimization policies, especially for sensitive patient and financial data.
• Gunra successfully exfiltrated 4TB of data before encryption. This suggests AHD lacked proper DLP (Data Loss Prevention) and outbound traffic monitoring to detect or block large-scale unauthorized transfers.
• The attackers accessed both clinical records and internal financial systems, implying poor segmentation between medical systems, administrative assets, and internet-facing infrastructure.

Gunra Ransomware – Threat Overview

Gunra is a financially motivated ransomware group active since April 2025. It uses double-extortion techniques, encrypting victim data while simultaneously exfiltrating it to demand ransom via Tor-based portals. The ransomware is capable of evading analysis, obfuscating its operations, and disabling recovery options by deleting shadow copies.

1. Initial access likely via phishing emails, RDP brute-force, or exploiting unpatched software.
2. Attack use Windows Management Instrumentation (WMI) for process execution.
3. The ransomware, upon execution, spawns a process named gunraransome.exe, which becomes visible in the Windows Task Manager (taskmgr.exe).
4. Once active, the process:
   • Enumerates files for encryption (FindNextFileExW)
   • Encrypts files and appends .ENCRT
   • Deletes shadow copies via WMI (vssadmin delete shadows)
   • Drops ransom note (R3ADM3.txt) in directories
   • Contacts C2 over Tor, coordinating ransom instructions
   • Uses IsDebuggerPresent, GetCurrentProcess, and TerminateProcess to evade analysis and gain execution control.
5. Targeted region: Global
6. Targeted sector: real estate, pharmaceuticals, manufacturing, healthcare, food & beverage, technology, consumer services

Recommendations:

1. Monitor for suspicious behaviors such as: files encrypted with extension .ENCRT, execution of processes like gunraransome.exe, and drop of ransom note files (e.g., R3ADM3.txt).
2. Backup Strategy: Implement offline or immutable backups. Regularly test restore procedures from backups. Store multiple backup versions in segregated environments (cloud and on-prem).
3. Train employees regularly on: identifying phishing attempts, and safe email practices. Conduct periodic phishing simulation exercises.
4. Monitor for WMI usage tied to vssadmin or PowerShell-based shadow copy deletions.
5. Implement file integrity monitoring solutions to detect any changes to critical files, especially system files and documents, and alert the security team about unauthorized changes.
6. Regularly apply security patches across all systems to ensure that known vulnerabilities are not exploited by the malware.
7. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/3713bdfbd159072c56c9c437146dcef498935abe813991f2a128d54bc8f40a8a/iocs

Source:

• https://cybernews.com/security/gunra-ransomware-american-hospital-dubai-breach/
• https://www.cyfirma.com/research/gunra-ransomware-a-brief-analysis/
• https://rewterz.com/threat-advisory/critical-threat-gunra-ransomware-targets-critical-sectors-worldwide-active-iocs

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.