Gunra ransomware has introduced a new Linux variant that enhances encryption speed and customization, enabling attackers to use up to 100 parallel encryption threads and partial file encryption. The group has expanded its targets across multiple countries and industries, showcasing advanced cross-platform tactics to increase its reach. #GunraRansomware #LinuxRansomware #Conti
Keypoints
- Gunra ransomware’s Linux variant was first observed in April 2025, expanding the group’s attack scope beyond Windows systems.
- The Linux variant supports up to 100 parallel encryption threads, doubling the configurability compared to comparable ransomware such as BERT.
- The ransomware allows partial encryption of files with configurable ratios and encrypted key storage in separate keystore files.
- Victims span multiple countries including Brazil, Japan, Canada, Turkiye, South Korea, Taiwan, and the United States across sectors like manufacturing, healthcare, IT, agriculture, law, and consulting.
- The Linux variant does not drop a ransom note, focusing instead on fast and flexible file encryption.
- The encryption algorithm combines RSA public key cryptography with ChaCha20 stream cipher for efficient and secure encryption.
- Trend Vision One™ offers detection, blocking, and threat intelligence to protect organizations from Gunra ransomware activities.
MITRE Techniques
- [T1486] Data Encrypted for Impact – Gunra ransomware encrypts files using ChaCha20 and RSA to lock victims out. (‘encryption worker thread encrypt_files_thread which calls hybrid_encrypt_file to perform the actual encryption’)
- [T1059] Command and Scripting Interpreter – The Linux variant requires runtime arguments and displays usage and activity logs on the console (‘If none are supplied, it displays usage instructions; if one … it prompts the user to provide the missing input’)
- [T1071] Application Layer Protocol – Command-line parameters control encryption behavior, such as targeted paths and file extensions (‘requires specific file paths and file extensions to encrypt’)
- [T1560] Archive Collected Data – The ransomware stores RSA-encrypted keys in separate keystore files when the –store parameter is used (‘When the -s or –store parameter is provided, the ransomware stores the RSA-encrypted blob for each file in a separate keystore file’)
Indicators of Compromise
- [File Extension] Encrypted files are appended with the .ENCRT extension – example: encrypted documents with .ENCRT
- [File Name] Keystore files storing RSA-encrypted keys – example: separate keystore files created when using –store parameter
- [Command Line Arguments] Usage of parameters such as –exts (file extensions), -r or –ratio (encryption ratio), and -s or –store (key storage) – examples seen in sample execution commands
Read more: https://www.trendmicro.com/en_us/research/25/g/gunra-ransomware-linux-variant.html