High

Analysis Summary

Gunra ransomware, first detected in April 2025, has rapidly evolved into a major global threat, targeting both Windows and Linux systems with platform-specific variants. The group behind Gunra has adopted a dual-platform attack strategy, allowing it to effectively compromise diverse enterprise infrastructures. Its operations have impacted multiple industries, with confirmed incidents reported in regions including Asia-Pacific and South Korea. Following a familiar double-extortion model, Gunra encrypts critical files, exfiltrates sensitive organizational data, and threatens to leak stolen information unless ransom demands are met, reinforcing its position as one of the most organized and widespread ransomware campaigns of recent months.

The ransomware’s operational design reflects a high level of planning and technical sophistication. According to Researchers, Gunra runs through a command-line interface that requires specific parameters for execution. Before launching its encryption process, the malware validates all arguments to ensure their correctness, preventing faulty executions. This parameter-driven structure highlights the developers’ meticulous engineering, indicating that Gunra is more than a typical ransomware strain it is a modular and adaptable toolkit designed to support precision-based attacks across different environments.

However, technical analysis uncovered a critical cryptographic flaw within the Linux (ELF) variant of Gunra ransomware that significantly undermines its encryption strength. While the ransomware employs the ChaCha20 algorithm for encryption, it uses a weak random number generation process that relies on the time() function to seed the rand() function. This predictable seed generation leads to identical random sequences when the encryption process runs within close time intervals. As a result, the generated encryption keys and nonce values exhibit repeated byte patterns, creating weak ChaCha20 keys that can be brute-forced with high probability using just 256 possible byte values. This vulnerability provides a potential avenue for data recovery without paying ransom.

In contrast, the Windows version of Gunra demonstrates a much stronger implementation, using the ChaCha8 algorithm combined with Windows’ CryptGenRandom() API to ensure cryptographically secure key generation. This discrepancy between the ELF and EXE versions underscores the group’s uneven development quality across platforms while their Windows variant maintains robust encryption resistant to decryption, the Linux version suffers from fundamental cryptographic weaknesses. The discovery of this flaw provides defenders and incident responders with a unique opportunity to develop decryption tools and mitigate the impact of attacks on Linux-based systems.

Impact

• Sensitive Data Theft
• Double Extortion
• Gain Access

Indicators of Compromise

MD5

• 9a7c0adedc4c68760e49274700218507

• 7dd26568049fac1b87f676ecfaac9ba0

SHA-256

• 854e5f77f788bbbe6e224195e115c749172cd12302afca370d4f9e3d53d005fd

• a82e496b7b5279cb6b93393ec167dd3f50aff1557366784b25f9e51cb23689d9

SHA1

• 77b294117cb818df701f03dc8be39ed9a361a038

• bb79502d301ba77745b7dbc5df4269fc7b074cda

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Deploy endpoint protection, intrusion detection systems (IDS/IPS), and behavioral-based ransomware detection to identify suspicious encryption activity early.
• Ensure all operating systems, especially Linux and Windows servers, are updated with the latest security patches to reduce exploitable entry points.
• Limit or monitor command-line access to prevent unauthorized execution of scripts or ransomware payloads.
• Maintain offline, encrypted backups of essential files and test restoration procedures regularly to ensure data recovery without paying ransom.