The Gunra ransomware group, active since April 2025, targets both Windows and Linux systems worldwide through platform-specific malware variants. While the Windows version employs secure encryption, the Linux variant suffers from critical weaknesses that allow brute-force decryption. Organizations in regions like South Korea have reported infections, highlighting the group's expanding operations.
Gunra ransomware first appeared in April 2025 and has since conducted targeted attacks across multiple industries and geographic regions, including confirmed incidents in South Korea and the broader Asia-Pacific area. The group deploys dual-format payloads: an EXE executable for Windows environments and an ELF binary for Linux systems. These variants encrypt sensitive files, exfiltrate corporate data, and demand ransom payments, with threats of public disclosure if demands go unmet.
The Linux ELF version operates via a command-line interface, requiring parameters such as thread count, target paths, file extensions, encryption rates, and RSA public key locations. It uses the ChaCha20 algorithm for file and disk encryption but relies on a flawed random number generator. The rand() function is seeded with the current time in seconds from the time() function, leading to identical seeds and repeated byte sequences in keys and nonces when executions occur in short intervals. This weakness enables brute-force attacks by testing all 256 possible byte values from 0x00 to 0xFF, allowing recovery of plaintext data with high probability. The malware excludes files with the ".encrt" extension and the "R3ADM3.txt" ransom note from encryption.
In contrast, the Windows EXE variant uses ChaCha8 encryption and generates keys via the CryptGenRandom() API from the Cryptographic Service Provider, ensuring cryptographically secure random numbers that resist decryption attempts. ASEC researchers and other security analysts have noted this disparity, which underscores inconsistencies in Gunra's development. Linux-affected organizations can pursue tailored recovery protocols exploiting these flaws, while Windows victims face likely permanent data loss, necessitating strong backups and prevention measures.