Gunra ransomware was first noticed in April throughout a marketing campaign geared toward Home windows methods, using ways modeled after the infamous Conti ransomware.
Linux variant packs encryption upgrades
Not like its Home windows counterpart, the Linux construct boasts extremely configurable multi-threading, letting attackers spin up as many as 100 concurrent encryption threads — double that of comparable ransomware like BERT.
“Gunra ransomware’s Linux variant requires configuration to specify the variety of threads used for encryption, which is capped at 100,” Pattern Micro mentioned. “Whereas different ransomware teams additionally equip their payloads with multi-thread encryption, it’s normally mounted and primarily based on the variety of processors out there within the sufferer’s machine.”
Sufferer information may be chosen by path or extension, or attackers can merely encrypt every thing recursively. Recordsdata tagged with the “.ENCRT” extension, these already encrypted, are skipped. Curiously, the Linux variant doesn’t drop a ransom notice in any respect, leaving fewer clues behind.
The variant additionally helps partial encryption, permitting operators to encrypt parts of information for faster assaults. “The algorithm helps partial encryption primarily based on the ratio parameter supplied upon execution, as indicated by the “-r” or “–ratio” parameter. The “-l” or the “–restrict” parameter is used to manage how a lot of the file will get encrypted. If no worth is supplied, the complete file is encrypted,” Pattern Micro added.
Moreover, the variant provides versatile key-storage choices for RSA-encrypted keys. Utilizing the “-s” or “—retailer” parameter makes the ransomware save every file’s RSA-encrypted blob in a separate keystore file reasonably than appending it to the encrypted file.
