A newly discovered Linux variant of the Gunra ransomware is dramatically widening the group’s attack capabilities, integrating highly configurable multi-threaded encryption routines and advanced partial encryption techniques.
Originally observed targeting Windows systems in April 2025, Gunra’s operators have rapidly expanded their operations with this new variant, a move reflecting the trend among ransomware groups to pursue cross-platform infection strategies and maximize their reach.
Technical Features
The standout technical highlight of Gunra’s Linux version is its ability to utilize up to 100 encryption threads in parallel, a significant leap over most competing payloads that limit thread use to available CPU cores or cap at 50 threads.
This configuration is determined at runtime, with encryption speed and resource use entirely controlled by the attackers through specific arguments.
The ransomware can be aimed at select file extensions or paths and can recursively scan entire directories; block devices are supported as manual targets as well.
Partial encryption capabilities further enhance the threat, allowing operators to specify the percentage of file data to encrypt and set limits for each operation features aimed at ensuring both encryption efficiency and detectable resistance.
The encryption engine combines a randomly generated ChaCha20 key and nonce for fast, secure data scrambling, with the cryptographic material itself protected via a supplied RSA public key in PEM format.
Encrypted files receive the “.ENCRT” extension, with all cryptographic key material either embedded in the file or stored in separate keystore files, depending on operator preference.
Unlike many other ransomware strains, this Linux variant notably skips the typical ransom note, focusing exclusively on streamlined, silent, and configurable encryption.
This design choice underlines the group’s sophistication and appetite for more targeted extortion campaigns.
Attack Surface Expansion
Since its first appearance, Gunra ransomware has struck more than a dozen organizations, including major enterprises in Brazil, Japan, Canada, Turkiye, South Korea, Taiwan, and the United States.
Victims span manufacturing, healthcare, IT, agriculture, as well as legal and consulting sectors.
Notably, the ransomware group is believed to be behind a significant breach involving the exfiltration and public release of 40 terabytes of hospital data in Dubai this May, signifying the high stakes and global ambition associated with Gunra’s operations.
Security researchers monitoring the group confirm attempted intrusions into government, transportation, and private sector infrastructures across multiple regions, reinforcing the notion that Gunra’s actors are intent on expanding their regional and vertical reach.
According to the report, The group’s leak site continues to claim new victims, serving both as proof-of-impact and a platform for ransom negotiation.
With the technical sophistication demonstrated by the Linux variant, defense against Gunra now requires more than the basics.
Security providers, including Trend Vision One, are deploying detection and blocking capabilities, with integrated threat hunting and contextual intelligence offerings to track and counteract Gunra’s activities.
Meanwhile, security professionals are urged to maintain rigorous asset inventories, keep hardware and software updated with prompt vulnerability patching, and harden network segments with secure configuration of firewalls and routers.
Regular staff awareness programs, red-team exercises, and adoption of modern, AI-driven detection platforms are recommended to meet the evolving ransomware threat landscape, where actors like the Gunra group are progressing from opportunistic Windows attacks to methodical, cross-OS campaigns.
Gunra’s shift into Linux is a stark reminder to bolster defenses and adapt security strategies for a rapidly diversifying ransomware ecosystem.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
