A sophisticated new Linux variant of Gunra ransomware has emerged, marking a significant escalation in the threat group’s cross-platform capabilities since its initial discovery in April 2025.
The ransomware, which drew inspiration from the notorious Conti ransomware techniques, has rapidly expanded its operational scope beyond Windows systems to target Linux environments, demonstrating the group’s strategic evolution toward comprehensive enterprise network compromise.
The Gunra ransomware group has already established a formidable presence in the cybercriminal landscape, with victims spanning across Brazil, Japan, Canada, Turkey, South Korea, Taiwan, and the United States.
The group’s aggressive tactics became particularly evident in May 2025 when they allegedly leaked 40 terabytes of sensitive data from a Dubai hospital, highlighting their willingness to target critical healthcare infrastructure.
The ransomware has successfully compromised organizations across diverse sectors including manufacturing, healthcare, information technology, agriculture, law, and consulting services.
Trend Micro researchers identified that the Linux variant represents a calculated expansion strategy, enabling the threat actors to target mixed-environment enterprises more effectively.
Since its April debut, the ransomware group has claimed 14 victims on their leak site, demonstrating consistent operational tempo and victim acquisition capabilities.
The variant’s sophisticated design indicates substantial development resources and technical expertise within the criminal organization.
The most notable technical advancement in this Linux variant is its unprecedented multi-threading capability, supporting up to 100 simultaneous encryption threads.
This represents a significant enhancement over existing ransomware families, with most variants limiting concurrent operations to 50 threads or basing thread allocation on available processor cores.
The configurable threading system allows attackers to optimize encryption speed based on target system specifications.
_int64_fastcall spawn_or_wait_thread(_int64 a1, _int64 a2, int a3, int a4, int a5, int a6)
{
printf(“Spawning thread for %s\n”, a1, a3, a4, a5, a6, a2);
while (1)
{
pthread_mutex_lock(&thread_count_mutex);
if (*(v18+ 4100) > current_thread_count )
break;
pthread_mutex_unlock(&thread_count_mutex);
usleep(1000);
}
}
The ransomware employs a hybrid encryption scheme combining RSA and ChaCha20 algorithms, processing files in 1MB chunks for optimal performance.
Its partial encryption capability, controlled through ratio and limit parameters, allows attackers to selectively encrypt portions of files, reducing processing time while maintaining data inaccessibility.
Keystore files that store the RSA encrypted blob (Source – Trend Micro)
The variant requires specific runtime arguments including thread count, target paths, file extensions, encryption ratio, and RSA public key files.
Usage: encryptor –threads= –path= –exts= –ratio= –keyfile= [–store=] [–limit=]
The files encrypted by Gunra Ransomware (Source – Trend Micro)
Encrypted files receive the .ENCRT extension, with an optional keystore feature allowing RSA-encrypted keys to be stored separately from encrypted files.
Notably, unlike its Windows counterpart, this Linux variant operates without dropping traditional ransom notes, focusing purely on rapid, configurable file encryption.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches
The post Gunra Ransomware New Linux Variant Runs Up To 100 Encryption Threads With New Partial Encryption Feature appeared first on Cyber Security News.
