A new player in the ransomware scene is shaking things up—and fast. The Gunra group, which only surfaced a few months ago, is now flexing its muscles with a Linux version of its malware that can run up to 100 parallel encryption threads. That’s double what most competitors can handle.
And it’s not just speed they’re after. Gunra’s fresh approach gives attackers more granular control over file encryption, and it signals a clear ambition: to go beyond Windows and build a truly cross-platform criminal enterprise.
From Windows to Linux—Gunra Goes Big
Gunra first made headlines back in April, following a playbook eerily similar to that of the now-defunct Conti group. Their early campaigns focused solely on Windows systems, but they weren’t subtle. By May, they had allegedly leaked 40 terabytes of data from a hospital—a staggering figure that catapulted them onto radar screens around the world.
Now they’ve moved on to Linux. According to researchers at Trend Micro, Gunra’s new variant shows a level of control and configurability that’s uncommon—even among well-established ransomware outfits.
This latest development confirms what many feared: Gunra isn’t just testing the waters. They’re diving headfirst into broader enterprise environments.
Encryption on Steroids
What sets Gunra apart? It’s the way they encrypt.
Traditional ransomware usually sets the number of threads based on the victim’s CPU cores. Others, like the BERT ransomware, allow a bit of customization—but cap threads at 50. Gunra? They’ve doubled that.
Trend Micro researchers confirmed that Gunra’s Linux variant allows up to 100 encryption threads, all running in parallel. That means faster operations, especially on large volumes of data.
And there’s more:
-
Attackers can control how much of a file is encrypted, allowing partial encryption
-
Encryption threads won’t terminate until every file is processed
-
The malware skips dropping a ransom note on Linux systems—purely focused on speed and control
It’s fast. It’s lean. It’s deliberate.
Global Reach, Diverse Targets
Gunra isn’t picky. They’ve already hit organizations in at least seven countries, including:
-
Brazil
-
Japan
-
Canada
-
Turkey
-
South Korea
-
Taiwan
-
United States
And they’re not sticking to one industry either. Victims so far span:
• Healthcare
• Legal and consulting
• Agriculture
• IT services
• Manufacturing
According to their leak site, the group has been busy—posting stolen data and proving they’re capable of causing serious damage across sectors.
That’s what makes this so alarming. Gunra isn’t building up gradually. They’re launching full-force.
Linux Variant: Configurable and Efficient
Gunra’s Linux malware doesn’t just bring more threads. It also gives attackers fine-tuned control over the attack itself.
Instead of encrypting everything by default, the ransomware needs input on what to target. Users (aka attackers) must specify:
-
How many threads to use (up to 100)
-
Which file paths to scan
-
Which file extensions to encrypt
If attackers input “all,” every accessible file gets encrypted. But they can also opt for surgical strikes—only encrypting specific file types like .docx, .sql, or .db.
Once the ransomware starts, it enters a waiting loop—checking every 10 milliseconds until all threads finish. Then it shuts itself down.
It’s clean, fast, and leaves fewer clues behind.
Why This Variant Stands Out
Most Linux-targeting ransomware still follows clunky methods. Gunra changes that. According to Trend Micro, the key enhancements are:
| Feature | Gunra Linux Variant | Typical Ransomware |
|---|---|---|
| Max Encryption Threads | 100 | CPU-dependent / ~50 |
| Ransom Note on Linux | No | Yes |
| File Extension Targeting | Customizable (CSV-based) | Often Hardcoded |
| Partial Encryption Option | Yes | Sometimes |
| Keystore File Support | Yes (RSA-encrypted keys) | Rare |
Gunra’s toolset reflects an evolution in ransomware design. It’s not just a port of their Windows version—it’s optimized for Linux environments. That includes servers running sensitive databases and core enterprise workloads.
It’s clear the group isn’t just experimenting. They know what they’re doing.
Defenders on High Alert
Security experts are taking this seriously. Trend Micro has issued direct recommendations for defenders, highlighting that Gunra has moved fast and innovated aggressively—traits that make them harder to counter.
Here’s what experts recommend:
• Run regular vulnerability scans
• Audit all assets and configurations
• Monitor ports, services, and protocols
• Harden routers and firewalls
• Use AI-driven threat detection where possible
• Educate employees and run red-team exercises
Trend Micro stresses the need for layered defenses. No single fix will stop a group like Gunra—but every extra wall helps.
