A complicated new Linux variant of Gunra ransomware has emerged, marking a big escalation within the menace group’s cross-platform capabilities since its preliminary discovery in April 2025.
The ransomware, which drew inspiration from the infamous Conti ransomware methods, has quickly expanded its operational scope past Home windows techniques to focus on Linux environments, demonstrating the group’s strategic evolution towards complete enterprise community compromise.
The Gunra ransomware group has already established a formidable presence within the cybercriminal panorama, with victims spanning throughout Brazil, Japan, Canada, Turkey, South Korea, Taiwan, and the USA.
The group’s aggressive ways turned notably evident in Could 2025 once they allegedly leaked 40 terabytes of delicate knowledge from a Dubai hospital, highlighting their willingness to focus on essential healthcare infrastructure.
The ransomware has efficiently compromised organizations throughout various sectors together with manufacturing, healthcare, info expertise, agriculture, regulation, and consulting providers.
Development Micro researchers recognized that the Linux variant represents a calculated enlargement technique, enabling the menace actors to focus on mixed-environment enterprises extra successfully.
Since its April debut, the ransomware group has claimed 14 victims on their leak website, demonstrating constant operational tempo and sufferer acquisition capabilities.
The variant’s refined design signifies substantial growth assets and technical experience inside the prison group.
Essentially the most notable technical development on this Linux variant is its unprecedented multi-threading functionality, supporting as much as 100 simultaneous encryption threads.
This represents a big enhancement over present ransomware households, with most variants limiting concurrent operations to 50 threads or basing thread allocation on out there processor cores.
The configurable threading system permits attackers to optimize encryption velocity based mostly on course system specs.
_int64_fastcall spawn_or_wait_thread(_int64 a1, _int64 a2, int a3, int a4, int a5, int a6)
{
printf(“Spawning thread for %sn”, a1, a3, a4, a5, a6, a2);
whereas (1)
{
pthread_mutex_lock(&thread_count_mutex);
if (*(v18+ 4100) > current_thread_count )
break;
pthread_mutex_unlock(&thread_count_mutex);
usleep(1000);
}
}
The ransomware employs a hybrid encryption scheme combining RSA and ChaCha20 algorithms, processing recordsdata in 1MB chunks for optimum efficiency.
Its partial encryption functionality, managed by ratio and restrict parameters, permits attackers to selectively encrypt parts of recordsdata, decreasing processing time whereas sustaining knowledge inaccessibility.
Keystore recordsdata that retailer the RSA encrypted blob (Supply – Development Micro)
The variant requires particular runtime arguments together with thread depend, goal paths, file extensions, encryption ratio, and RSA public key recordsdata.
Utilization: encryptor –threads= –path= –exts= –ratio= –keyfile= [–store=] [–limit=]
The recordsdata encrypted by Gunra Ransomware (Supply – Development Micro)
Encrypted recordsdata obtain the .ENCRT extension, with an non-obligatory keystore characteristic permitting RSA-encrypted keys to be saved individually from encrypted recordsdata.
Notably, in contrast to its Home windows counterpart, this Linux variant operates with out dropping conventional ransom notes, focusing purely on speedy, configurable file encryption.
Combine ANY.RUN TI Lookup together with your SIEM or SOAR To Analyses Superior Threats -> Strive 50 Free Trial Searches
