A newly identified Linux variant of the Gunra ransomware family has emerged, showcasing significant enhancements in its encryption capabilities. According to a recent analysis by Trend Micro, this latest iteration allows attackers to execute up to 100 parallel encryptions using a highly configurable multi-threading approach. This marks a notable evolution in the tactics employed by the group, which has already targeted a diverse range of sectors, including healthcare, manufacturing, and IT.
Trend Micro’s findings reveal that the Gunra ransomware has already implicated 14 victims across countries such as Turkiye, Taiwan, the United States, and South Korea. The research highlights the strategic expansion of this threat group into Linux environments, indicating a trend among ransomware actors toward cross-platform targeting. In its blog post, Trend Micro commented, “Our monitoring of the ransomware landscape revealed that threat actors behind Gunra have expanded with a Linux variant.”
Unlike its Windows counterpart that surfaced in April, the Linux variant of Gunra possesses unique features that enhance its attack efficiency. The advanced multithreading capability enables attackers to customize the number of threads utilized during encryption, which can reach up to 100, surpassing similar ransomware types. Trend Micro noted, “Gunra ransomware’s Linux variant requires configuration to specify the number of threads used for encryption.”
Moreover, the new variant supports partial file encryption and offers flexible key-storage options for RSA-encrypted keys. This functionality allows attackers to encrypt parts of files quickly while maintaining the ability to control the extent of the damage inflicted. Trend Micro emphasized that, unlike other ransomware programs, Gunra’s Linux variant does not drop a ransom note, leaving fewer digital footprints for investigators.
This evolution in ransomware tactics aligns with a broader trend of threat actors targeting multi-platform environments, thus increasing their victim pool. Ransomware families such as BlackBasta, Hive, and Clop have also begun releasing Linux-based encryptors, complicating security measures for enterprises that operate in hybrid infrastructures. In light of these developments, Trend Micro advises companies to tighten security practices, patch systems promptly, and enhance endpoint detection across both Windows and Linux systems.
The expanded capabilities of Gunra ransomware were notably underscored in a recent breach involving the American Hospital Dubai, where approximately 40 TB of sensitive data was leaked, highlighting the serious risks posed by such ransomware attacks.