Gunra ransomware was first spotted in April during a campaign aimed at Windows systems, employing tactics modeled after the notorious Conti ransomware.
Linux variant packs encryption upgrades
Unlike its Windows counterpart, the Linux build boasts highly configurable multi-threading, letting attackers spin up as many as 100 concurrent encryption threads — double that of similar ransomware like BERT.
“Gunra ransomware’s Linux variant requires configuration to specify the number of threads used for encryption, which is capped at 100,” Trend Micro said. “While other ransomware groups also equip their payloads with multi-thread encryption, it is usually fixed and based on the number of processors available in the victim’s machine.”
Victim files can be chosen by path or extension, or attackers can simply encrypt everything recursively. Files tagged with the “.ENCRT” extension, those already encrypted, are skipped. Interestingly, the Linux variant doesn’t drop a ransom note at all, leaving fewer clues behind.
The variant also supports partial encryption, allowing operators to encrypt portions of files for quicker attacks. “The algorithm supports partial encryption based on the ratio parameter provided upon execution, as indicated by the “-r” or “–ratio” parameter. The “-l” or the “–limit” parameter is used to control how much of the file gets encrypted. If no value is provided, the entire file is encrypted,” Trend Micro added.
Additionally, the variant offers flexible key-storage options for RSA-encrypted keys. Using the “-s” or “—store” parameter makes the ransomware save each file’s RSA-encrypted blob in a separate keystore file rather than appending it to the encrypted file.
