Gunra Ransomware Group Unveils Efficient Linux Variant
Summary:
The newly discovered Linux variant of Gunra ransomware marks a significant expansion in the group’s capabilities and cross-platform ambitions. First observed in April 2025, targeting Windows systems with techniques reminiscent of Conti ransomware, Gunra has now shifted toward broader targets by introducing a powerful Linux variant. This version is built for speed, flexibility, and stealth, capable of running up to 100 encryption threads in parallel and supporting partial encryption based on file size. Attackers can configure how much of a file is encrypted and whether to store RSA-encrypted keys in separate keystore files, offering more control and evasion options.
Since its emergence, Gunra has claimed victims across Brazil, Japan, Canada, Turkiye, South Korea, Taiwan, and the United States, targeting sectors such as manufacturing, healthcare, IT, agriculture, law, consulting, and government. The group made headlines in May 2025 after allegedly leaking 40 terabytes of data from a hospital in Dubai. Gunra’s leak site currently lists 14 victims, further showcasing its growing impact on global enterprise environments. Technically, the Linux variant of Gunra is feature-rich. It requires specific arguments at runtime, including a path to a PEM file containing an RSA public key. It then generates random ChaCha20 keys and nonces, encrypts files in 1MB chunks using the ChaCha20 algorithm, and encrypts the keys with RSA. The ransomware supports flexible parameters like --ratio and --limit to define how much of each file is encrypted and uses the --store flag to place RSA blobs into separate keystore files instead of appending them to encrypted files.
Security Officer Comments:
Gunra’s encryption process is sophisticated. It recursively scans target directories and processes file types either specified by extension or all files if configured to do so. Files that meet the criteria are encrypted and renamed with the “.ENCRT” extension. Uniquely, this variant does not drop a ransom note, differentiating itself from many other strains and suggesting a shift in tactics, possibly toward pure extortion via data theft and leaks rather than traditional ransom demands.
Suggested Corrections:
The following best practices can help mitigate ransomware risks:
Link(s):
https://www.trendmicro.com/en_us/research/25/g/gunra-ransomware-linux-variant.html
The newly discovered Linux variant of Gunra ransomware marks a significant expansion in the group’s capabilities and cross-platform ambitions. First observed in April 2025, targeting Windows systems with techniques reminiscent of Conti ransomware, Gunra has now shifted toward broader targets by introducing a powerful Linux variant. This version is built for speed, flexibility, and stealth, capable of running up to 100 encryption threads in parallel and supporting partial encryption based on file size. Attackers can configure how much of a file is encrypted and whether to store RSA-encrypted keys in separate keystore files, offering more control and evasion options.
Since its emergence, Gunra has claimed victims across Brazil, Japan, Canada, Turkiye, South Korea, Taiwan, and the United States, targeting sectors such as manufacturing, healthcare, IT, agriculture, law, consulting, and government. The group made headlines in May 2025 after allegedly leaking 40 terabytes of data from a hospital in Dubai. Gunra’s leak site currently lists 14 victims, further showcasing its growing impact on global enterprise environments. Technically, the Linux variant of Gunra is feature-rich. It requires specific arguments at runtime, including a path to a PEM file containing an RSA public key. It then generates random ChaCha20 keys and nonces, encrypts files in 1MB chunks using the ChaCha20 algorithm, and encrypts the keys with RSA. The ransomware supports flexible parameters like --ratio and --limit to define how much of each file is encrypted and uses the --store flag to place RSA blobs into separate keystore files instead of appending them to encrypted files.
Security Officer Comments:
Gunra’s encryption process is sophisticated. It recursively scans target directories and processes file types either specified by extension or all files if configured to do so. Files that meet the criteria are encrypted and renamed with the “.ENCRT” extension. Uniquely, this variant does not drop a ransom note, differentiating itself from many other strains and suggesting a shift in tactics, possibly toward pure extortion via data theft and leaks rather than traditional ransom demands.
Suggested Corrections:
The following best practices can help mitigate ransomware risks:
- Audit and inventory assets, data, devices, and event and icnident logs.
- Manage hardware and software configurations, and monitor network ports, protocols, and services.
- Activate security configurations on network infrastructure devices such as firewalls and routers.
- Conduct regular vulnerability assessments, update software and applications to latest versions, and perform patching or virtual patching for operating systems and applications.
- Regularly train and assess employees on security skills.
- Conduct red-team exercises and penetration tests.
- Use advanced detection technologies such as those powered by AI and machine learning.
Link(s):
https://www.trendmicro.com/en_us/research/25/g/gunra-ransomware-linux-variant.html