A new Linux variant of the “Gunra” ransomware family has been identified with highly configurable multithreading, allowing attackers to run up to 100 parallel encryptions.
A Trend Micro research underlined that the emerging threat group, which has already claimed 14 victims spanning healthcare, manufacturing, and IT, has rolled out a new ransomware variant with significant upgrades, including multi-threaded encryption, partial file encryption, and separate storage for RSA keys.
“Trend’s threat intelligence data detected activity from Gunra ransomware in enterprises from Turkiye, Taiwan, the United States, and South Korea,” Trend Micro said in a blog post. “Our monitoring of the ransomware landscape revealed that threat actors behind Gunra have expanded with a Linux variant, signaling a strategic move toward cross-platform targeting.”
Gunra ransomware was first spotted in April during a campaign aimed at Windows systems, employing tactics modeled after the notorious Conti ransomware.
Linux variant packs encryption upgrades
Unlike its Windows counterpart, the Linux build boasts highly configurable multi-threading, letting attackers spin up as many as 100 concurrent encryption threads — double that of similar ransomware like BERT.
“Gunra ransomware’s Linux variant requires configuration to specify the number of threads used for encryption, which is capped at 100,” Trend Micro said. “While other ransomware groups also equip their payloads with multi-thread encryption, it is usually fixed and based on the number of processors available in the victim’s machine.”
Victim files can be chosen by path or extension, or attackers can simply encrypt everything recursively. Files tagged with the “.ENCRT” extension, those already encrypted, are skipped. Interestingly, the Linux variant doesn’t drop a ransom note at all, leaving fewer clues behind.
The variant also supports partial encryption, allowing operators to encrypt portions of files for quicker attacks. “The algorithm supports partial encryption based on the ratio parameter provided upon execution, as indicated by the “-r” or “–ratio” parameter. The “-l” or the “–limit” parameter is used to control how much of the file gets encrypted. If no value is provided, the entire file is encrypted,” Trend Micro added.
Additionally, the variant offers flexible key-storage options for RSA-encrypted keys. Using the “-s” or “—store” parameter makes the ransomware save each file’s RSA-encrypted blob in a separate keystore file rather than appending it to the encrypted file.
Gunra follows wider ransomware suit
Trend Micro notes Gunra’s shift to Linux environments as part of a broader trend spotted in the ransomware landscape. It said many ransomware groups are “going cross-platform to widen and expand their reach, increasing potential victims,” Trend Micro noted.
From mid-2022 to early 2023, several ransomware families–including BlackBasta, Hive, Luna, and Clop — released Linux encryptors designed specifically for VMware ESXi platforms.
Targeting multi-OS environments is raising the stakes for enterprises with hybrid infrastructure. Trend Micro recommends tightening asset inventories, hardening configurations, patching systems promptly, and enabling robust endpoint detection across both Windows and Linux systems. The group’s growing impact was underscored by its recent breach of American Hospital Dubai, where Gunra reportedly leaked around 40 TB of sensitive data, marking one of its largest known attacks to date.
More ransomware news and insights:
- The dirty dozen: 12 worst ransomware groups active today
- Interlock ransomware threat expands across the US and Europe, hits healthcare and smart cities
- Fog ransomware gang abuses employee monitoring tool in unusual multi-stage attack
- Ingram Micro confirms ransomware attack after days of downtime
- Ransomware gangs extort victims 17 hours after intrusion on average>>
>