The new Gunra group has expanded its attack surface beyond Windows PCs by releasing a Linux version of their virus, which was initially discovered in April 2025. This is a major uptick in the ransomware ecosystem.
This development underscores the group’s strategic pivot toward cross-platform targeting, inspired by predecessors like Conti ransomware.
Trend Micro’s threat intelligence has tracked Gunra’s activities across enterprises in Brazil, Japan, Canada, Turkiye, South Korea, Taiwan, and the United States, impacting sectors including manufacturing, healthcare, IT, agriculture, law, and consulting.
Notable incidents include the alleged exfiltration and leakage of 40 terabytes of data from a Dubai hospital in May 2025, alongside attempts against government entities and industries such as transportation.
With 14 victims claimed on its leak site since inception, Gunra demonstrates rapid proliferation.
The Linux variant, analyzed via Trend Vision One, incorporates advanced indicators of compromise (IOCs) detection, enabling proactive blocking and providing hunting queries, threat insights, and intelligence reports for enhanced contextual awareness.
Multi-Threaded Execution
According to the report, The Gunra Linux payload mandates runtime arguments for operation, displaying usage instructions if absent and prompting for missing inputs to ensure seamless execution.
Console logs detail its activities, revealing a configurable multi-threaded encryption mechanism capped at 100 parallel threads a leap beyond typical ransomware like BERT, which limits to 50.
This configurability, determined by processor availability or explicit settings, employs a synchronization loop that polls every 10 milliseconds, halting termination until all threads complete via the spawn_or_wait_thread function, which enforces thread limits during file encryption.
Targeting requires specified paths and extensions; the “all” parameter encrypts indiscriminately, while comma-separated lists focus on select extensions.
Recursive directory traversal scans subfolders, skipping already encrypted files (identified by .ENCRT suffix) unless block devices are explicitly flagged with –exts=disk.
Encryption spawns worker threads invoking hybrid_encrypt_file, renaming outputs with .ENCRT and optionally omitting ransom notes for stealth.
At its core, the variant leverages a hybrid algorithm combining RSA public-key cryptography from a supplied PEM file with ChaCha20 symmetric stream cipher.
It generates a 32-byte ChaCha20 key, 12-byte nonce, and 256-byte padding, encrypting these materials via RSA before applying ChaCha20 in 1MB chunks.
Partial encryption is tunable via –ratio and –limit parameters, allowing attackers to dictate encryption extent for efficiency, while the –store option segregates RSA-encrypted blobs into dedicated keystore files rather than appending them.
This flexibility accelerates operations and complicates recovery, marking Gunra as a potent evolution in ransomware tactics.
Defensive Strategies
This Linux adaptation exemplifies the ransomware trend toward platform-agnostic threats, amplifying potential victims by infiltrating diverse environments.
By prioritizing rapid, configurable encryption without ransom notes, Gunra focuses on disruption over negotiation, heightening risks for Linux-dependent infrastructures.
To counter such vectors, organizations must adopt layered defenses: conduct asset inventories and vulnerability assessments, enforce configuration management on network devices, apply timely patches or virtual patching, and integrate AI-driven detection tools.
Regular employee training, red-team simulations, and penetration testing further fortify resilience against Gunra and analogous threats, ensuring proactive mitigation in an evolving cyber landscape.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
