Date: 07/30/2025
Severity: High
Summary
Gunra ransomware’s Linux variant significantly expands the group’s attack surface, reflecting its intention to move beyond its initial targets. This variant includes key features such as the ability to execute up to 100 encryption threads simultaneously and perform partial encryption. Attackers can customize the extent of file encryption and store RSA-encrypted keys in separate keystore files. Since first being observed in April 2025, Gunra has impacted organizations across Brazil, Japan, Canada, Türkiye, South Korea, Taiwan, and the United States. Its victims span various sectors, including manufacturing, healthcare, IT, agriculture, legal, and consulting services.
Indicators of Compromise (IOC) List
Domains\URLs: | gunrabxbig445sjqa535uaymzerj6fp4nwc6ngc2xughf2pedjdhk4ad.onion http://2bw7r32r5eshwk2h7uekj3lwzorxds2jyhyzqyilphid3r27x5hsf4yd.onion http://jzbhtsuwysslrzi2n5is3gmzsyh6ayhm7jt3xowldhk7rej4dqqubxqd.onion/ |
Hash : |
bb79502d301ba77745b7dbc5df4269fc7b074cda
0c3c878b678c7254446e84cca6f0d63caeb51880
77b294117cb818df701f03dc8be39ed9a361a038
be6ee00fa5284ee4237f877f4bd5cfa871fdc6ef
79e19d3d8405425735e4b3cd36a8507d99dfee20
912217b09b13e1e53f7f26335f7f84b3c3918491
8404521cf2a53de3459a75ff946873c43211afb6 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\URLs: | domainname like "gunrabxbig445sjqa535uaymzerj6fp4nwc6ngc2xughf2pedjdhk4ad.onion" or url like "gunrabxbig445sjqa535uaymzerj6fp4nwc6ngc2xughf2pedjdhk4ad.onion" or siteurl like "gunrabxbig445sjqa535uaymzerj6fp4nwc6ngc2xughf2pedjdhk4ad.onion" or domainname like "http://2bw7r32r5eshwk2h7uekj3lwzorxds2jyhyzqyilphid3r27x5hsf4yd.onion" or url like "http://2bw7r32r5eshwk2h7uekj3lwzorxds2jyhyzqyilphid3r27x5hsf4yd.onion" or siteurl like "http://2bw7r32r5eshwk2h7uekj3lwzorxds2jyhyzqyilphid3r27x5hsf4yd.onion" or domainname like "http://jzbhtsuwysslrzi2n5is3gmzsyh6ayhm7jt3xowldhk7rej4dqqubxqd.onion/" or url like "http://jzbhtsuwysslrzi2n5is3gmzsyh6ayhm7jt3xowldhk7rej4dqqubxqd.onion/" or siteurl like "http://jzbhtsuwysslrzi2n5is3gmzsyh6ayhm7jt3xowldhk7rej4dqqubxqd.onion/" |
Hash : |
sha1hash IN ("bb79502d301ba77745b7dbc5df4269fc7b074cda","be6ee00fa5284ee4237f877f4bd5cfa871fdc6ef","8404521cf2a53de3459a75ff946873c43211afb6","77b294117cb818df701f03dc8be39ed9a361a038","0c3c878b678c7254446e84cca6f0d63caeb51880","79e19d3d8405425735e4b3cd36a8507d99dfee20","912217b09b13e1e53f7f26335f7f84b3c3918491") |
Reference:
https://www.trendmicro.com/en_us/research/25/g/gunra-ransomware-linux-variant.html