Gunra Ransomware Expands to Linux: New Variant Unleashes 100-Thread Encryption & Stealthy Tactics

Trend Micro has issued a spotlight on the evolving Gunra ransomware, which has extended its reach to Linux-based systems, dramatically broadening its attack surface. The group—first observed in April 2025—has shown a “strategic move toward cross-platform targeting,” emulating techniques from notorious predecessors like Conti while incorporating powerful multi-thread encryption capabilities.

The Gunra ransomware group burst onto the scene earlier this year with high-profile attacks on Windows environments, including the alleged exfiltration of 40 terabytes of data from a Dubai hospital. Now, the emergence of a Linux variant underscores their ambition to dominate enterprise networks across platforms. According to Trend Micro:

“Gunra ransomware’s Linux variant broadens the group’s attack surface, showing the new group’s intent to expand beyond its original scope.”

What sets Gunra apart is its technical depth. The Linux variant supports up to 100 parallel encryption threads, significantly more than many of its contemporaries, like BERT ransomware, which supports only 50. This makes Gunra particularly fast and efficient at data destruction:

“Gunra can utilize up to 100 threads of encryption successfully,” Trend Micro confirms. “This update features both configurability and an increased number of threads for encryption, making it a powerful new variant.”

The ransomware also supports partial encryption, letting attackers fine-tune how much of each file is encrypted based on a –ratio or –limit parameter.

Gunra employs hybrid encryption, blending RSA and ChaCha20 algorithms. It generates a ChaCha20 key, nonce, and padding for each file, then encrypts those materials with an RSA public key supplied at runtime via a .pem file. One particularly unique feature:

“When the –store parameter is provided, the ransomware stores the RSA-encrypted blob for each file in a separate keystore file instead of appending it to the encrypted file.”

This method not only complicates decryption for incident responders but also demonstrates a higher level of operational sophistication.

Interestingly, the Linux variant doesn’t leave behind a ransom note. This could be an intentional effort to frustrate detection mechanisms or a sign that data extortion is now the preferred business model. Trend Micro also notes:

“Encrypted files are renamed to append the .ENCRT extension,” which helps victims recognize affected data but provides little recourse for recovery.

Since April 2025, Gunra ransomware has targeted enterprises in Brazil, Japan, Canada, Türkiye, South Korea, Taiwan, and the United States. Affected industries span manufacturing, healthcare, IT, law, consulting, and agriculture. Victim organizations include Fortune 500 companies and critical infrastructure providers.

Related Posts:

• Gunra Ransomware: New Threat Analysis Reveals Evasion Tactics
• 0-Day in Parallels Desktop Allows Root Privilege Escalation, PoC Released
• CVE-2025-24813 Flaw in Apache Tomcat Exposes Servers to RCE, Data Leaks: Update Immediately
• CISA Flags Apache Tomcat CVE-2025-24813 as Actively Exploited with 9.8 CVSS
• Waiting Thread Hijacking: A Stealthier Code Injection Technique

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.