Ddos 
The AhnLab Security Intelligence Center (ASEC) has published an in-depth analysis of the Gunra ransomware group, which began operations in April 2025 and has since carried out continuous attacks across industries worldwide, including incidents reported in South Korea.
What makes Gunra stand out is its cross-platform targeting — distributing both a Windows executable (EXE) and a Linux ELF variant — as well as a critical cryptographic weakness in the Linux version that allows potential file recovery.
Gunra ransomware comes in two distinct formats: an .exe file targeting Windows systems and an .elf file targeting Linux environments. Both variants are designed to encrypt system data and exfiltrate sensitive files before threatening to publish them unless a ransom is paid.
ASEC notes that the Linux (ELF) variant accepts multiple runtime arguments, allowing operators to customize their attacks. For example, options such as –threads, –path, and –exts control the number of threads, encryption paths, and file extensions to target.
The malware’s flexibility enables attackers to choose between file-level encryption and full-disk encryption depending on the selected arguments. The report explains, “The encryption method can be broadly categorized into file encryption and disk encryption depending on the type of the path.”
Gunra employs the ChaCha20 encryption algorithm, generating a new key and nonce for each file or disk encryption task. However, the ELF variant’s key-generation logic introduces a fatal design flaw.
During reverse-engineering, AhnLab researchers discovered that Gunra’s ELF variant generates its encryption keys using an insecure random-number generator based on the C standard library functions time() and rand().
The report reveals that “the function that generates a random number receives the current time in seconds through the time() function and uses this to create a seed value to be used by the rand() function.” Because these values are computed within milliseconds, the same seed is often reused, leading to identical key and nonce sequences.
This flaw allows security analysts — or victims — to potentially recover encryption keys via brute force, since only 256 possible byte values (0x00–0xFF) need to be tested for each position in the key array.
ASEC confirmed that “due to this weak random number generation method, files encrypted by the Gunra ransomware of this version can be decrypted with a high probability using the Brute Force technique.”
When encrypting individual files, Gunra first encrypts 1MB of data, then skips a set number of bytes determined by the –ratio argument before continuing encryption. This process repeats until the file’s encryption limit (set via –limit) is reached.
If the ransomware runs with the –store argument enabled, Gunra encrypts the ChaCha20 key using RSA and saves it to disk with a .keystore extension. If not, the key is appended directly to the end of the encrypted file.
For disk-level encryption, Gunra operates in a similar manner but applies the algorithm continuously across partitions when the “disk” value is passed.
Certain files, such as R3ADM3.txt and files ending with .encrt, are excluded from encryption to ensure ransom instructions remain readable.
Unlike its flawed Linux counterpart, the Windows version of Gunra employs ChaCha8 encryption and leverages the CryptGenRandom() API via the Windows Cryptographic Service Provider (CSP) to generate secure random numbers.
ASEC concludes that “the EXE version of Gunra ransomware uses the ChaCha8 encryption algorithm, and the key and nonce values are generated using the CryptGenRandom() API. This method generates random numbers in a cryptographically secure manner, making decryption virtually impossible.”
This key difference means while the Windows version is effectively irreversible, victims infected by the Linux variant may have a narrow window for recovery through cryptanalysis — provided they preserve encrypted samples and timestamps.
Related Posts:
- Gunra Ransomware: New Threat Analysis Reveals Evasion Tactics
- Gunra Ransomware Expands to Linux: New Variant Unleashes 100-Thread Encryption & Stealthy Tactics
- Mirai Okiru: The first new Linux ELF malware designed to infect ARC CPUs
- Lumma Stealer Malware Now Using ChaCha20 Cipher for Evasion
- Google Play Store Alert: New Phishing Apps Bypass Security, Stealing Crypto Wallet Seeds
Donate