A sophisticated new Linux variant of Gunra ransomware has emerged, marking a major escalation in the group’s offensive strategy. Since its discovery in April 2025, Gunra has quickly evolved. Drawing inspiration from Conti ransomware tactics, the group now targets Linux environments, signaling a strategic shift from Windows-only operations.
A Cross-Platform Attack Strategy Unfolds
This move to Linux is not accidental. According to Trend Micro researchers, the Linux variant represents a calculated expansion, allowing the attackers to infiltrate mixed-OS enterprise environments more effectively. As a result, Gunra poses a broader risk to today’s increasingly hybrid infrastructures.
Moreover, the group’s target list is diverse. Gunra has compromised organizations across sectors such as:
Healthcare
Manufacturing
Information technology
Agriculture
Law
Consulting services
These incidents indicate that no industry is off-limits.
Gunra’s Global Footprint Grows Rapidly
Since its initial appearance, Gunra has demonstrated consistent activity. The group has already claimed 14 victims on its leak site. Furthermore, its operations have expanded across countries including Brazil, Japan, Canada, Turkey, South Korea, Taiwan, and the United States.
Notably, in May 2025, the group made headlines by leaking 40 terabytes of data stolen from a Dubai hospital. This brazen attack confirmed Gunra’s willingness to target critical healthcare systems, raising global concern.
Technical Advancement: Unmatched Multi-Threading
Perhaps the most significant development is the Linux variant’s multi-threaded encryption capability. Unlike typical ransomware families that limit encryption threads to 50 or base them on CPU cores, Gunra’s variant supports up to 100 concurrent threads.
This allows attackers to adjust encryption speed based on the victim’s hardware, ensuring faster encryption and limiting the window for detection and response. Consequently, the threat becomes harder to neutralize once deployed.
A Serious Cybersecurity Challenge
Clearly, Gunra is no longer a Windows-bound threat. With its expansion into Linux systems, it now presents a cross-platform danger to global enterprises. The ransomware’s high-speed encryption, aggressive leak tactics, and sector-spanning target list make it one of the most dangerous cyber threats of 2025.
For organizations operating in hybrid environments, it’s crucial to strengthen both Windows and Linux defenses. Proactive monitoring, updated backups, and cross-platform endpoint protection are now more essential than ever.