The ransomware, which drew inspiration from the notorious Conti ransomware techniques, has rapidly expanded its operational scope beyond Windows systems to target Linux environments, demonstrating the group’s strategic evolution toward comprehensive enterprise network compromise. A sophisticated new Linux variant of Gunra ransomware has emerged, marking a significant escalation in the threat group’s cross-platform capabilities since its initial discovery in April 2025. The variant requires specific runtime arguments including thread count, target paths, file extensions, encryption ratio, and RSA public key files. Its partial encryption capability, controlled through ratio and limit parameters, allows attackers to selectively encrypt portions of files, reducing processing time while maintaining data inaccessibility. Trend Micro researchers identified that the Linux variant represents a calculated expansion strategy, enabling the threat actors to target mixed-environment enterprises more effectively. The ransomware employs a hybrid encryption scheme combining RSA and ChaCha20 algorithms, processing files in 1MB chunks for optimal performance. Notably, unlike its Windows counterpart, this Linux variant operates without dropping traditional ransom notes, focusing purely on rapid, configurable file encryption. The Gunra ransomware group has already established a formidable presence in the cybercriminal landscape, with victims spanning across Brazil, Japan, Canada, Turkey, South Korea, Taiwan, and the United States. The group’s aggressive tactics became particularly evident in May 2025 when they allegedly leaked 40 terabytes of sensitive data from a Dubai hospital, highlighting their willingness to target critical healthcare infrastructure. Since its April debut, the ransomware group has claimed 14 victims on their leak site, demonstrating consistent operational tempo and victim acquisition capabilities. The most notable technical advancement in this Linux variant is its unprecedented multi-threading capability, supporting up to 100 simultaneous encryption threads. This represents a significant enhancement over existing ransomware families, with most variants limiting concurrent operations to 50 threads or basing thread allocation on available processor cores. The configurable threading system allows attackers to optimize encryption speed based on target system specifications. The ransomware has successfully compromised organizations across diverse sectors including manufacturing, healthcare, information technology, agriculture, law, and consulting services.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 31 Jul 2025 07:45:20 +0000