The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Gunra Ransomware

Aug 11, 2025 2:41:54 PM / by The Hivemind

GUNRARANSOMWAREVerticals Targeted: Government, Healthcare, Manufacturing, Transportation, Law and Consulting, IT, Agriculture
Regions Targeted: Brazil, Japan, Canada, Turkey, South Korea, Taiwan, United States
Related Families: Conti

Executive Summary

Gunra ransomware has debuted a Linux variant that boosts encryption speed and flexibility, signaling a shift toward broader cross-platform attacks following its initial Windows campaigns.

Key Takeaways

  • Gunra enables up to 100 concurrent encryption threads, surpassing typical limits seen in other ransomware.
  • Gunra supports partial encryption, allowing attackers to specify file portions and extensions for targeted impact.
  • Gunra omits ransom notes to prioritize rapid file locking, expanding threats to Linux-based infrastructure.
  • Gunra has impacted enterprises across multiple sectors and nations, with notable data leaks from high-profile victims.

What is Gunra?

In a significant evolution within the ransomware ecosystem, the Gunra group has released a Linux-targeted variant, building on its Windows origins observed since April 2025. This development underscores the actors' ambition to extend their reach beyond traditional Windows environments, drawing tactical inspiration from the defunct Conti operation. Trend Micro researchers have detailed how this variant prioritizes efficiency in encryption processes, potentially accelerating disruption in victim networks.

The Linux payload requires runtime arguments for operation, displaying usage guidelines if omitted and prompting for missing inputs to ensure seamless execution. Console logs provide real-time visibility into its activities, aiding attackers in monitoring progress. A key enhancement is the configurable multi-threading capability, permitting up to 100 parallel encryption threads—a marked improvement over fixed or lower-capped alternatives in other families. This is managed through a dedicated function that enforces the thread limit, spawning new ones only when slots are available and employing a 10-millisecond polling loop to await completion before termination.

File targeting is highly customizable; operators can designate specific paths and extensions, with an "all" option for indiscriminate encryption. The malware recursively traverses directories, skipping files already appended with the .ENCRT extension to avoid redundant processing. For block devices, a specialized flag (--exts=disk) enables inclusion. Notably, this variant introduces partial encryption controls, empowering attackers to dictate the extent of data corruption per file, alongside an option to store RSA-encrypted keys in separate keystores for added operational flexibility.

Unlike its Windows counterpart, the Linux version foregoes dropping ransom notes, focusing solely on swift encryption to maximize immediate impact. This streamlined approach may complicate victim negotiations but aligns with Gunra's aggressive posture, as evidenced by their leak site's 14 claimed compromises since inception. The group has allegedly exfiltrated and exposed 40 terabytes of data from a Dubai hospital, highlighting their capacity for large-scale breaches.

Gunra's expansion targets diverse geographies, with detections spanning Turkey, Taiwan, the United States, and South Korea, while leak claims include Brazil, Japan, and Canada. Sector-wise, attempts have hit government entities alongside healthcare, manufacturing, transportation, and others, reflecting a non-discriminatory strategy to exploit vulnerabilities across verticals. PolySwarm analysts consider Gunra ransomware to be both an emerging and evolving threat. 

IOCs

PolySwarm has multiple samples of Gunra ransomware.

 

Windows Variant

a82e496b7b5279cb6b93393ec167dd3f50aff1557366784b25f9e51cb23689d9

5530363373dfe8fa474c9394184d2c56a0682c6a178d6f1c3536a1a3796dff42

854e5f77f788bbbe6e224195e115c749172cd12302afca370d4f9e3d53d005fd

91f8fc7a3290611e28a35a403fd815554d9d856006cc2ee91ccdb64057ae53b0

944a1a411abb97f9ae547099c4834beb49de0745740ba450efb747bd62d8d83b

76f13279f2ea05c8895394f57b71716847857d2beac269272375ce8a71c80e40

 

Linux Variant

22c47ec98718ab243f2f474170366a1780368e084d1bf6adcd60450a9289e4be

 

You can use the following CLI command to search for all Gunra samples in our portal:

$ polyswarm link list -f Gunra

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Emerging Threat, Evolving Threat, Data Exfiltration, Gunra Ransomware, Linux Ransomware Variant, Multi-Thread Encryption, Partial Encryption, Cross-Platform Ransomware, Conti-Inspired, Ransomware Analysis, Gunra Group, Enterprise Targeting

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More