The release of the Gunra ransomware Linux variant represents a significant step forward in the evolution of ransomware, indicating the group's purposeful shift toward cross-platform targeting in order to broaden its victim base across important businesses around the world. This variation, discovered in April 2025, displays outstanding technical sophistication, including support for up to 100 encryption threads, selective and partial file encryption, and the ability to store RSA-encrypted keys independently for stealth and control. Gunra's Linux edition, which eliminates ransom notes in exchange for speed, configurability, and efficiency, allows for faster, more adaptable attacks against business systems in industries such as healthcare, manufacturing, IT, and government. This development emphasizes the urgent need for enterprises to increase cross-platform protection through proactive patching, segmentation, immutable backups, and AI-driven threat detection platforms.

Technical Description

With the ability to support up to 100 concurrent encryption threads and allow attackers to specify file targets, extensions, and encryption ratios for partial or complete data locking, the Linux form of the Gunra ransomware demonstrates advanced technological proficiency. It uses a hybrid RSA and ChaCha20 encryption system that creates distinct keys and nonces for every file. RSA-encrypted blobs can be stored in separate keystore files or inside encrypted files. Using command-line options, the virus does recursive directory scans and checks the file state prior to encryption. Notably, it leaves out ransom messages in order to remain efficient and covert. The details and technicalities of the attack campaign are discussed further.

‍

Delivery and Infection Chain:

The Linux version of Gunra comes as a command-line binary that can be customized and requires runtime parameters (such as the PEM path, target paths/extensions, thread count, ratio/limit, store flag, etc.). It shows usage instructions, waits for input, and emits activity logs to the console while it runs if any of the necessary arguments are missing. When specifically enabled with a disk parameter, the payload can target block devices, directories (recursive scan), and normal files. The Infection chain was identified as follows,

• Delivered as a binary that requires runtime inputs from the attacker, Windows campaigns previously employed methods influenced by Conti.
• With the given PEM file, target paths/extensions, thread count, and encryption settings, the binary is executed on the target machine.
• It identifies eligible files by recursively scanning directories and block devices, excluding files that are already encrypted (.ENCRT).
• Uses hybrid ChaCha20/RSA encryption to spawn up to 100 worker threads for concurrent file encryption.
• Further, it saves RSA-encrypted keys in distinct keystore files for stealth and recovery control, logs activity to the console, and waits for all threads to finish before ending.

‍

Technical Capabilities:

The Linux version of the Gunra ransomware is a highly customizable, command-line-based virus that is made to be accurate and quick. The path to an RSA PEM file for key encryption, file extensions, the number of encryption threads (up to 100), and paths to target files or directories are among the runtime arguments needed for execution. The binary shows usage instructions and waits for input if any of the necessary arguments are missing. After it is run, it bypasses files that have already been encrypted and does recursive directory and device scans.ENCRT extension, which records every action to the console. Concurrency is controlled by a spawn_or_wait_thread function, which synchronizes completion with a 10-millisecond polling loop and makes sure that the maximum number of encryption threads is not exceeded.

The ransomware uses a hybrid encryption approach that secures the ChaCha20 keys and cryptographic metadata with RSA and encrypts file data in 1MB chunks using ChaCha20. The -s/–store option enables RSA-encrypted blobs to be saved in distinct keystore files instead being appended to encrypted files, and attackers can manipulate partial encryption using arguments like -r/–ratio and -l/–limit. Together with selective file targeting and adjustable multi-threading, its stealthy and modular design minimizes instant discovery and allows for quick encryption in big contexts. Recovery and forensic analysis are made more difficult by the externalized key storage and the lack of ransom notes, which demonstrate a professional, enterprise-focused approach to cross-platform ransomware operations.

‍

Attribution and Evolution:

Gunra, which was initially launched in April 2025 as a Windows-focused campaign, has quickly changed to include a Linux counterpart, demonstrating a purposeful cross-platform approach and technological maturity. A threat actor transitioning from opportunistic to scalable, enterprise-oriented operations is suggested by the codebase’s expert design decisions (runtime argument parsing, modular encryption, external keystore support, and adjustable threading).

‍

Active Campaign and Geographic Spread:

Since its first detection in April 2025, the Gunra ransomware has swiftly grown, progressing from Windows-only attacks to a sophisticated cross-platform threat with its recently found Linux variant. In keeping with its strategy focus on high-value and vital infrastructure organizations, the group has aggressively pursued businesses in a variety of industries, including healthcare, manufacturing, IT, agricultural, legal, and consulting. With verified activity in nations like the US, Brazil, Japan, Canada, Turkiye, South Korea, and Taiwan, as well as attempts to compromise government institutions, its campaigns have shown a considerable geographic reach. Also, the large-scale data exfiltration by Gunra has garnered media attention, including a 40 terabyte leak of private hospital data in Dubai. By publicly claiming at least 14 victims from a variety of businesses and nations, the ransomware’s leak site further highlights its active campaign and demonstrates both operational daring and confidence in circumventing conventional protections.

Conclusion:

A technological and strategic advancement in ransomware operations, Gunra’s Linux edition is quick, adaptable, covert, and designed for cross-platform enterprise targeting. Defenders should treat Linux hosts as high-value assets, prioritize asset inventory, segmented network architecture, immutable offline backups, strict least-privilege controls, aggressive patching, and behavioral detection tuned for high-thread encryption patterns, ChaCha20/RSA usage, keystore artifacts, and sudden .ENCRT file renaming.

Impact

Gunra’s speed (high thread count) and selective encryption make it capable of encrypting enormous data estates before discovery or backup recovery can respond. Simple restore techniques are compromised by partial encryption, and automated decryption attempts, and forensic recovery are made more difficult by separate keystore storage. The likelihood of a protracted outage, data loss, and data breach extortion increases when ransom notes are absent since they decrease immediate detection signals and lengthen the time to discovery.

‍

IOC and Context Details

Recommended Actions

• Continuously patch and harden Linux and Windows systems, including kernel updates and critical application fixes.
• Enforce strict least-privilege access policies for users, processes, and service accounts to minimize potential attack surfaces.
• Implement network segmentation and micro-segmentation to prevent ransomware from spreading laterally across hybrid environments.
• Maintain encrypted, offline, and immutable backups and regularly test recovery procedures to ensure rapid restoration.
• Monitor for abnormal multi-threaded file operations, unexpected ChaCha20/RSA encryption processes, and sudden spikes in I/O activity.
• Deploy endpoint detection and response (EDR) solutions capable of flagging unusual runtime arguments, unknown binaries, and unauthorized file modifications.
• Conduct continuous threat hunting, penetration testing, and simulated ransomware drills to identify gaps in defenses proactively.
• Integrate AI-powered threat intelligence platforms to correlate IOCs, detect emerging variants, and provide actionable mitigation insights in real time.

References

https://www.darkreading.com/threat-intelligence/nimble-gunra-ransomware-linux-variant

‍