The Gunra ransomware group, which emerged in April 2025, continues to expand its global operations with targeted attacks on Windows and Linux systems across multiple industries and geographic regions.
Recent investigations have uncovered critical vulnerabilities in the Linux variant that significantly undermine the group’s encryption security posture, revealing a stark contrast between the two platform-specific implementations.
Gunra uses a dual-format distribution strategy: an EXE version for Windows environments and an ELF version for Linux systems.
Like other organized ransomware groups, Gunra deploys its payloads to encrypt sensitive files, exfiltrate corporate data, and demand ransom payments, threatening public disclosure.
The group has demonstrated sophisticated operational capabilities, reportedly causing documented damage to organizations across multiple sectors, including confirmed incidents in Korea and beyond.
Technical Architecture and Encryption Methods
The Gunra ELF variant employs command-line arguments to configure its encryption behavior, requiring administrators to specify thread count, target paths, file extensions, encryption rates, and RSA public key file locations.
The malware can selectively encrypt files based on extension specifications or perform wholesale disk encryption when triggered with specific parameters. Notably, the ransomware excludes files with the “.encrt” extension and the “R3ADM3.txt” ransom note from its encryption process.
However, the technical implementation reveals a critical flaw in the ELF version’s cryptographic approach.
While the malware uses ChaCha20 for file and disk encryption, the random number generator used to generate encryption keys and nonce values exhibits severe cryptographic weaknesses.
The vulnerable function seeds rand() with the current time in seconds, causing the same seed value to be reused when multiple iterations execute within very short time intervals. This results in encryption keys and nonce values containing repeated byte sequences, rendering the cryptographic state fundamentally compromised.
Decryption Feasibility and Security Implications
Security researchers have demonstrated that weak random number generation enables successful brute-force decryption attacks.
By systematically testing all 256 possible byte values ranging from 0x00 to 0xFF, attackers or recovery specialists can identify the random numbers used during encryption and subsequently recover plaintext data with high probability.
This represents a significant deviation from cryptographic standards and renders the ELF variant substantially less secure than its Windows counterpart.
The Windows-based EXE version of Gunra demonstrates markedly superior encryption security. Rather than relying on rand(), the Windows variant uses the CryptGenRandom() API from the Cryptographic Service Provider to generate cryptographically secure random numbers.
Combined with the deployment of ChaCha8 instead of ChaCha20, the Windows version effectively prevents decryption attempts using conventional methods.
This divergence in security implementation raises questions about Gunra’s operational maturity and code quality assurance processes.
Organizations running Linux infrastructure should prioritize incident response protocols tailored explicitly to Gunra infections, as recovery options exist that would not be available for Windows-based attacks.
Meanwhile, Windows administrators should recognize that Gunra infections likely represent permanent data loss scenarios requiring robust backup strategies and threat prevention measures.MD5
IOCs
MD5
7dd26568049fac1b87f676ecfaac9ba0
9a7c0adedc4c68760e49274700218507
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
