{"id":4179,"date":"2025-07-30T12:18:53","date_gmt":"2025-07-30T12:18:53","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4179"},"modified":"2025-07-30T12:18:53","modified_gmt":"2025-07-30T12:18:53","slug":"ransomware-upstart-gunra-goes-cross-platform-with-encryption-upgrades","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4179","title":{"rendered":"Ransomware upstart Gunra goes cross-platform with encryption upgrades"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>A new Linux variant of the \u201cGunra\u201d ransomware family has been identified with highly configurable multithreading, allowing attackers to run up to 100 parallel encryptions.<\/p>\n<p>A Trend Micro research underlined that the emerging threat group, which has already claimed 14 victims spanning healthcare, manufacturing, and IT, has rolled out a new ransomware variant with significant upgrades, including multi-threaded encryption, partial file encryption, and separate storage for RSA keys.<\/p>\n<p>\u201cTrend\u2019s threat intelligence data detected activity from Gunra ransomware in enterprises from Turkiye, Taiwan, the United States, and South Korea,\u201d Trend Micro said in a <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/g\/gunra-ransomware-linux-variant.html\" target=\"_blank\" rel=\"noopener\">blog post<\/a>. \u201cOur monitoring of the ransomware landscape revealed that threat actors behind Gunra have expanded with a Linux variant, signaling a strategic move toward cross-platform targeting.\u201d<\/p>\n<p><a href=\"https:\/\/www.broadcom.com\/support\/security-center\/protection-bulletin\/gunra-ransomware\" target=\"_blank\" rel=\"noopener\">Gunra ransomware<\/a> was first spotted in April during a campaign aimed at Windows systems, employing tactics modeled after the notorious <a href=\"https:\/\/www.csoonline.com\/article\/571503\/conti-ransomware-explained-and-why-its-one-of-the-most-aggressive-criminal-groups.html\">Conti<\/a> ransomware.<\/p>\n<h2 class=\"wp-block-heading\">Linux variant packs encryption upgrades<\/h2>\n<p>Unlike its Windows counterpart, the Linux build boasts highly configurable multi-threading, letting attackers spin up as many as 100 concurrent encryption threads \u2014 double that of similar ransomware like <a href=\"https:\/\/www.csoonline.com\/article\/4019468\/trend-micro-flags-bert-a-rapidly-growing-ransomware-threat.html\">BERT<\/a>.<\/p>\n<p>\u201cGunra ransomware\u2019s Linux variant requires configuration to specify the number of threads used for encryption, which is capped at 100,\u201d Trend Micro said. \u201cWhile other ransomware groups also equip their payloads with multi-thread encryption, it is usually fixed and based on the number of processors available in the victim\u2019s machine.\u201d<\/p>\n<p>Victim files can be chosen by path or extension, or attackers can simply encrypt everything recursively. Files tagged with the \u201c.ENCRT\u201d extension, those already encrypted, are skipped. Interestingly, the Linux variant doesn\u2019t drop a ransom note at all, leaving fewer clues behind.<\/p>\n<p>The variant also supports partial encryption, allowing operators to encrypt portions of files for quicker attacks. \u201cThe algorithm supports partial encryption based on the ratio parameter provided upon execution, as indicated by the \u201c<em>-r\u201d<\/em> or<em> \u201c\u2013ratio\u201d<\/em> parameter. The <em>\u201c-l<\/em>\u201d or the \u201c<em>\u2013limit<\/em>\u201d parameter is used to control how much of the file gets encrypted. If no value is provided, the entire file is encrypted,\u201d Trend Micro added.<\/p>\n<p>Additionally, the variant offers flexible key-storage options for RSA-encrypted keys. Using the \u201c-s\u201d or \u201c<em>\u2014<\/em>store\u201d parameter makes the ransomware save each file\u2019s RSA-encrypted blob in a separate keystore file rather than appending it to the encrypted file.<\/p>\n<h2 class=\"wp-block-heading\">Gunra follows wider ransomware suit<\/h2>\n<p>Trend Micro notes Gunra\u2019s shift to Linux environments as part of a broader trend spotted in the ransomware landscape. It said many ransomware groups are \u201cgoing cross-platform to widen and expand their reach, increasing potential victims,\u201d Trend Micro noted.<\/p>\n<p>From mid-2022 to early 2023, several ransomware families\u2013including BlackBasta, Hive, Luna, and Clop \u2014 <a href=\"https:\/\/www.kaspersky.co.in\/blog\/linux-vmware-esxi-ransomware-attacks\/25554\/\" target=\"_blank\" rel=\"noopener\">released<\/a> Linux encryptors designed specifically for VMware ESXi platforms.<\/p>\n<p>Targeting multi-OS environments is raising the stakes for enterprises with hybrid infrastructure. Trend Micro recommends tightening asset inventories, hardening configurations, patching systems promptly, and enabling robust endpoint detection across both Windows and Linux systems. The group\u2019s growing impact was underscored by its recent breach of American Hospital Dubai, where Gunra <a href=\"https:\/\/www.breachsense.com\/breaches\/american-hospital-dubai-data-breach\" target=\"_blank\" rel=\"noopener\">reportedly<\/a><em> <\/em>leaked around 40 TB of sensitive data, marking one of its largest known attacks to date.<\/p>\n<p>More ransomware news and insights:<\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/3838121\/the-dirty-dozen-12-worst-ransomware-groups-active-today.html\">The dirty dozen: 12 worst ransomware groups active today<\/a><\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/4027220\/interlock-ransomware-threat-expands-across-the-us-and-europe-hits-healthcare-and-smart-cities.html\">Interlock ransomware threat expands across the US and Europe, hits healthcare and smart cities<\/a><\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/3968946\/ransomware-the-most-pervasive-threat-to-us-critical-infrastructure-in-2024-says-fbi.html\">Fog ransomware gang abuses employee monitoring tool in unusual multi-stage attack<\/a><\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/4018040\/ingram-micro-confirms-ransomware-attack-after-days-of-downtime.html\">Ingram Micro confirms ransomware attack after days of downtime<\/a><\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/3825444\/ransomware-gangs-extort-victims-17-hours-after-intrusion-on-average.html\">Ransomware gangs extort victims 17 hours after intrusion on average<\/a>&gt;&gt;<\/p><\/div>\n<\/div>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/3968946\/ransomware-the-most-pervasive-threat-to-us-critical-infrastructure-in-2024-says-fbi.html\">&gt;<\/a><\/p><\/div>\n\n<p>&gt;<\/p><\/div>","protected":false},"excerpt":{"rendered":"<p>A new Linux variant of the \u201cGunra\u201d ransomware family has been identified with highly configurable multithreading, allowing attackers to run up to 100 parallel encryptions. A Trend Micro research underlined that the emerging threat group, which has already claimed 14 victims spanning healthcare, manufacturing, and IT, has rolled out a new ransomware variant with significant [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":4170,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4179","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4179"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4179"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4179\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4170"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4179"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4179"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4179"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}