Gunra Ransomware Group Unveils Efficient Linux Variant

    Date: 07/30/2025

    Severity: High

    Summary

    Gunra ransomware’s Linux variant significantly expands the group’s attack surface, reflecting its intention to move beyond its initial targets. This variant includes key features such as the ability to execute up to 100 encryption threads simultaneously and perform partial encryption. Attackers can customize the extent of file encryption and store RSA-encrypted keys in separate keystore files. Since first being observed in April 2025, Gunra has impacted organizations across Brazil, Japan, Canada, Türkiye, South Korea, Taiwan, and the United States. Its victims span various sectors, including manufacturing, healthcare, IT, agriculture, legal, and consulting services.

    Indicators of Compromise (IOC) List

    Domains\URLs:

    gunrabxbig445sjqa535uaymzerj6fp4nwc6ngc2xughf2pedjdhk4ad.onion

    http://2bw7r32r5eshwk2h7uekj3lwzorxds2jyhyzqyilphid3r27x5hsf4yd.onion

    http://jzbhtsuwysslrzi2n5is3gmzsyh6ayhm7jt3xowldhk7rej4dqqubxqd.onion/

    Hash : 

    bb79502d301ba77745b7dbc5df4269fc7b074cda
    
    0c3c878b678c7254446e84cca6f0d63caeb51880
    
    77b294117cb818df701f03dc8be39ed9a361a038
    
    be6ee00fa5284ee4237f877f4bd5cfa871fdc6ef
    
    79e19d3d8405425735e4b3cd36a8507d99dfee20
    
    912217b09b13e1e53f7f26335f7f84b3c3918491
    
    8404521cf2a53de3459a75ff946873c43211afb6

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection 

    Domains\URLs: 

    domainname like "gunrabxbig445sjqa535uaymzerj6fp4nwc6ngc2xughf2pedjdhk4ad.onion" or url like "gunrabxbig445sjqa535uaymzerj6fp4nwc6ngc2xughf2pedjdhk4ad.onion" or siteurl like "gunrabxbig445sjqa535uaymzerj6fp4nwc6ngc2xughf2pedjdhk4ad.onion" or domainname like "http://2bw7r32r5eshwk2h7uekj3lwzorxds2jyhyzqyilphid3r27x5hsf4yd.onion" or url like "http://2bw7r32r5eshwk2h7uekj3lwzorxds2jyhyzqyilphid3r27x5hsf4yd.onion" or siteurl like "http://2bw7r32r5eshwk2h7uekj3lwzorxds2jyhyzqyilphid3r27x5hsf4yd.onion" or domainname like "http://jzbhtsuwysslrzi2n5is3gmzsyh6ayhm7jt3xowldhk7rej4dqqubxqd.onion/" or url like "http://jzbhtsuwysslrzi2n5is3gmzsyh6ayhm7jt3xowldhk7rej4dqqubxqd.onion/" or siteurl like "http://jzbhtsuwysslrzi2n5is3gmzsyh6ayhm7jt3xowldhk7rej4dqqubxqd.onion/"

    Hash :

    sha1hash IN ("bb79502d301ba77745b7dbc5df4269fc7b074cda","be6ee00fa5284ee4237f877f4bd5cfa871fdc6ef","8404521cf2a53de3459a75ff946873c43211afb6","77b294117cb818df701f03dc8be39ed9a361a038","0c3c878b678c7254446e84cca6f0d63caeb51880","79e19d3d8405425735e4b3cd36a8507d99dfee20","912217b09b13e1e53f7f26335f7f84b3c3918491")

    Reference:    

    https://www.trendmicro.com/en_us/research/25/g/gunra-ransomware-linux-variant.html 


    Tags

    MalwareRansomwareGunraBrazilJapanTürkiyeSouth KoreaTaiwanUnited StatesHealthcare and Public HealthInformation TechnologyCritical ManufacturingFood and Agriculture

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags