A new Linux variant of Gunra ransomware has been detected, broadening the targets of this recently emerged threat group and marking an aggressive expansion beyond its original Windows-based attacks.
Since its first discovery in April 2025, Gunra has targeted enterprises across Brazil, Japan, Canada, Türkiye, South Korea, Taiwan, and the United States, affecting sectors such as manufacturing, healthcare, IT, agriculture, law, and consulting.
The new Linux variant comes amid headline-grabbing allegations, such as the leak of 40 terabytes of data from a Dubai hospital, demonstrating Gunra’s increasing boldness and technical prowess.
Trend Micro reports that Gunra has already posted claims of 14 victims in just a few months.
Technical Deep Dive – Parallelism, Precision, and Speed
The standout features of Gunra’s Linux variant are its scalability and configurability, catering to highly optimized, rapid attacks.
It supports up to 100 parallel encryption threads, a significant leap over most prior ransomware strains, and even most competitors, such as BERT ransomware, which caps at 50 threads.
The number of threads can be defined at runtime, boosting encryption speed on high-resource Linux servers.
Another distinguishing capability is its granular control over encryption.
Attackers can choose which file extensions or directory paths to target, enable full or partial encryption via customizable “ratio” and “limit” parameters, and decide whether to encrypt entire files or portions, enhancing both stealth and efficiency in high-value data heists.
Gunra’s Linux payload leverages hybrid encryption, combining RSA (for key protection) and ChaCha20 (for data encryption).
The encryption keys are generated per file, with options to save the RSA-encrypted key in a separate keystore file, raising the challenge for attempted recovery.
Encrypted files are tagged with a “.ENCRT” extension and, interestingly, no ransom note is dropped, suggesting a focus on speed and automation over negotiation.
Security Recommendations
The rise of sophisticated, highly configurable Linux ransomware like Gunra’s variant underscores the importance of layered security.
Experts recommend a proactive posture: thorough asset inventory, network segmentation, rigorous patching, regular security training for employees, and use of advanced, AI-driven detection tools.
Organizations should enable strong security configurations on infrastructure devices, maintain tight software controls, and practice robust incident response.
Solutions like Trend Vision One™, which integrate threat intelligence and risk management, are critical in detecting indicators of compromise and accelerating the containment of novel threats.
As cybercriminals rush to exploit new platforms and techniques, defenders must keep pace or risk falling victim to attacks designed for speed, adaptability, and maximum impact.
