Ransomware
Gunra Ransomware Group Unveils Efficient Linux Variant
This blog discusses how Gunra ransomware’s new Linux variant accelerates and customises encryption, expanding the group’s reach with advanced cross-platform tactics.
Save to Folio
Summary:
- Gunra ransomware’s Linux variant broadens the group’s attack surface, showing the new group’s intent to expand beyond its original scope.
- The Linux variant shows notable features including running up to 100 encryption threads in parallel and supporting partial encryption. It also allows attackers to control how much of each file gets encrypted and allows for the option to keep RSA-encrypted keys in separate keystore files.
- Since its first observed activity in April 2025, Gunra ransomware has victimised enterprises from Brazil, Japan, Canada, Turkiye, South Korea, Taiwan, and the United States. Its victims include organisations from the manufacturing, healthcare, IT and agriculture sectors, as well as companies in law and consulting.
- Trend Vision One™ detects and blocks the indicators of compromise (IOCs) related to Gunra ransomware. Trend Vision One customers can also access hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest updates on Gunra, including its Linux variant.
Gunra ransomware was first observed in April 2025 in a campaign that targeted Windows systems using techniques inspired by the infamous Conti ransomware. Our monitoring of the ransomware landscape revealed that threat actors behind Gunra have expanded with a Linux variant, signalling a strategic move toward cross-platform targeting.
The novel ransomware group has already made headlines after allegedly leaking 40 terabytes worth of data from a victim hospital in Dubai in May this year. Trend’s threat intelligence data detected activity from Gunra ransomware in enterprises from Turkiye, Taiwan, the United States, and South Korea. Our data showed that the ransomware group attempted to victimise government organisations as well as enterprises from the healthcare, manufacturing, and transportation industries. Meanwhile, Gunra ransomware’s leak site claims it has successfully victimised enterprises from Brazil, Japan, Canada, Turkiye, and the United Sates. Its leak site also claims victims from industries such as manufacturing, law and consulting, healthcare, IT, and agriculture. Since it was first observed in April, threat actors behind the group have posted and claimed 14 victims in their leak site.
This blog explores the technical details, implications, and what we know so far about the newly discovered Gunra ransomware Linux variant. Details on the ransomware group’s initial access and propagation techniques will be added in later updates as they become available.
Execution
Gunra ransomware’s Linux variant requires several arguments at runtime. If none are supplied, it displays usage instructions; if one of the required arguments is not provided, it prompts the user to provide the missing input before continuing with its routine.
Upon execution, the Linux variant also displays its activity logs on the console.
Multi-Thread Encryption
Gunra ransomware’s Linux variant requires configuration to specify the number of threads used for encryption, which is capped at 100. Our investigation confirmed that Gunra can utilise up to 100 threads of encryption successfully.
While other ransomware groups also equip their payloads with multi-thread encryption, it is usually fixed and based on the number of processors available in the victim’s machine. There are also other ransomware that allow for configuring number of threads such as BERT ransomware, but they have been observed to only allow up to 50 simultaneous threads. This Gunra update features both configurability and an increased number of threads for encryption, making it a powerful new variant.
The ransomware then creates a waiting loop that prevents itself from terminating until all encryption threads is done. It cheques every 10 milliseconds if any encryption threads are still running and then terminates execution once all threads complete their encryption tasks.
The ransomware also has the function spawn_or_wait_thread, which manages how many files can be encrypted at the same time. When the ransomware wants to encrypt a file, this function first cheques if it's already running the maximum number of encryption threads allowed which was set upon execution.
Encryption Routine
Gunra ransomware’s Linux variant also requires specific file paths and file extensions to encrypt.
When configured with the value all, the ransomware encrypts every discovered file. Otherwise, it processes a comma-separated list of file extensions and encrypts only files matching the specified extensions.
If the target is a directory, it performs a recursive directory scan to go through all folders and subfolders to find files to encrypt. If the target is a regular file, it verifies whether the file has already been encrypted by checking if its extension is not encrt. In the case of a block device, encryption is attempted only if it was explicitly specified at runtime using the --exts=disc parameter.
If the target files meet the criteria to encrypt, it starts the encryption worker thread encrypt_files_thread which calls hybrid_encrypt_file to perform the actual encryption.
Encrypted files are renamed to append the .ENCRT extension. Notably, Gunra ransomware’s Linux variant was observed to not drop a ransom note.
Encryption Algorithm
One of the arguments required by the ransomware at runtime is a path to a PEM file that contains an RSA public key.
The ransomware combines RSA and ChaCha20 for its encryption algorithm. It generates random cryptographic materials including a random 32-byte ChaCha20 key, a 12-byte nonce, and 256 bytes of padding data.
The PEM file is then parsed to retrieve the RSA public key which will be used to encrypt the generated cryptographic materials.
For the actual file encryption, it uses the ChaCha20 stream cypher with the generated key and nonce to encrypt the file data in 1MB chunks. The algorithm supports partial encryption based on the ratio parameter provided upon execution as indicated by the -r or --ratio parameter. The -l or the --limit parameter is used to control how much of the file gets encrypted. If no value is provided, the entire file is encrypted.
When the -s or --store parameter is provided, the ransomware stores the RSA-encrypted blob for each file in a separate keystore file instead of appending it to the encrypted file.
Conclusion and security recommendations
The newly discovered Gunra ransomware Linux variant significantly broadens the ransomware group’s range for attacks, signifying its clear intent to adapt and expand beyond its original scope. This shift into the Linux environment is amongst the latest of this trend in the ransomware landscape: going cross-platform to widen and expand their reach, increasing potential victims.
The Linux variant shows notable features including running up to 100 encryption threads in parallel, supporting partial encryption, and even lets attackers control how much of each file gets encrypted: this makes encryption faster and more flexible. Unlike the Windows version, it skips dropping a ransom note altogether and instead focuses purely on quick and configurable file encryption, including the option to keep RSA-encrypted keys in separate keystore files.
To protect systems against Gunra ransomware and similar ransomware threats, organisations should implement a comprehensive security strategy that systematically allocates resources to establish strong defences. The following best practises can help mitigate ransomware risks:
- Audit and inventory assets, data, devices, and event and icnident logs.
- Manage hardware and software configurations, and monitor network ports, protocols, and services.
- Activate security configurations on network infrastructure devices such as firewalls and routers.
- Conduct regular vulnerability assessments, update software and applications to latest versions, and perform patching or virtual patching for operating systems and applications.
- Regularly train and assess employees on security skills.
- Conduct red-team exercises and penetration tests.
- Use advanced detection technologies such as those powered by AI and machine learning.
Proactive security with Trend Vision One™
Trend Vision One️™ is the only AI-powered enterprise cybersecurity platform that centralises cyber risk exposure management, security operations, and robust layered protection. This holistic approach helps enterprises predict and prevent threats, accelerating proactive security outcomes across their respective digital estate. With Trend Vision One, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for innovation, especially in the cases of novel ransomware variants as in the one discussed in this blog.
Trend Vision One ™ Threat Intelligence
To stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insights which provides the latest insights from Trend™ Research ™ on emerging threats and threat actors.
Trend Vision One Threat Insights
Emerging Threats: Gunra Ransomware Goes Cross-Platform: From Windows to Linux
Trend Vision One Intelligence Reports (IOC Sweeping)
Gunra Ransomware Goes Cross-Platform: From Windows to Linux
Hunting Queries
Trend Vision One Search App
Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.
Gunra Ransomware Encrypted Files:
eventSubId:106 AND objectFilePath:/\.ENCRT$/
More hunting queries are available for Trend Vision One customers withThreat Insights entitlement enabled.
Indicators of Compromise (IoC)
Download the list of IoCs here.