highRansomware

Gunra Ransomware's Linux Variant Has a Fatal Flaw: time()-Seeded rand() Makes Encrypted Files Recoverable Without Paying

PublishedMarch 12, 2026

Threat Actors:Profile

ransomwarec2exploitiot

TL;DR: Gunra is a Conti-derived RaaS operation that expanded to Linux with a compact 84KB ELF binary targeting enterprise servers. Our analysis of the x86-64 variant reveals a catastrophic cryptographic weakness: the Linux build generates ChaCha20 key material using musl-libc's rand() seeded by time(), reducing the entire keyspace to roughly 256 possible values per second of encryption activity. Files encrypted by this variant are recoverable via brute-force without paying the USD 7-10M ransom. We mapped 5 Tor hidden services (including a Windows-based Apache data leak site), identified 4 ELF builds across x86-64, i386, and two ARM architectures all uploaded to MalwareBazaar on the same day, and confirmed an active RaaS affiliate program running on the RAMP forum since January 2026.

From Conti Leak to Multi-Architecture Ransomware

Gunra's lineage traces directly to the Conti source code leak of March 2022. First observed in April 2025 as a Windows-only operation, the group expanded to Linux by July 2025 and has since claimed 20+ victims across 8 countries -- Brazil, Japan, Canada, Turkey, South Korea, Taiwan, Egypt, and the United States. Ransom demands consistently land in the USD 7-10 million range, with a 5-day payment deadline. In December 2025, they hit INHA University in South Korea, exfiltrating 650GB of data.

In January 2026, Gunra launched an affiliate program on the RAMP dark web forum, transitioning to a full Ransomware-as-a-Service model. The timing aligns with infrastructure expansion: five .onion domains appeared in ThreatFox on January 13, and the affiliate recruitment post went live January 15.

On March 4, 2026, four ELF samples covering every major Linux architecture landed on MalwareBazaar within the same submission window -- an operational leak that gave us a complete picture of their build system.

The Sample: 84KB of Devastation

Property	Value
Filename	`build_4vHU_eBN.bin`
SHA-256	`5677dfad26045e271272bc98be2fd24e2f6d13737850ab1d9857fd58de05e9f9`
MD5	`182024fc6c5fe0b1b33fdd9c7c37e368`
SHA-1	`b75596415398073aa4c050cdc2f83861b8b90ee1`
File size	84,512 bytes (82.5 KB)
Format	ELF 64-bit LSB PIE, x86-64, static-pie linked, stripped
Compiler	GCC 11.2.1 20211120
C library	musl-libc (static)
First seen	2026-03-04 05:50:40 UTC
Detection	ClamAV: `ELF.Filecoder-JX`, ReversingLabs: `Linux.Trojan.Multiverze` (58% detection)
Triage score	10/10

At 84KB with 61KB of executable code, this is remarkably compact ransomware. The entire encryption engine (ChaCha20 + RSA-4096), recursive filesystem traversal, ransom note deployment, and argument parsing fits in less code than most web page JavaScript bundles. The binary is statically linked against musl-libc, stripped of all symbols, and compiled as a position-independent executable -- designed to run on any modern Linux system without dependencies.

ELF Section Layout

Section	Offset	Size	Purpose
`.text`	0x5d0	62,901 bytes	Executable code
`.rodata`	0xfba0	7,919 bytes	Ransom note, RSA-4096 public key, constants
`.data`	0x14020	728 bytes	Initialized data, Base64 alphabet
`.bss`	0x142f8	2,784 bytes	Uninitialized data

Encryption Architecture: ChaCha20 + RSA-4096

Gunra implements a standard hybrid encryption scheme. Each file gets a unique symmetric key, and that key is then encrypted with the embedded RSA public key and stored alongside the ciphertext.

Symmetric layer -- ChaCha20:

The constant "expand 32-byte k" is loaded via two MOV RAX instructions at offsets 0x27f0 and 0x2828
32-byte (256-bit) keys, 12-byte (96-bit) IETF nonces
Fresh key and nonce generated per file

Asymmetric layer -- RSA-4096:

4096-bit modulus (512 bytes), confirmed via ASN.1 parsing of the embedded public key
Public exponent: 65537 (0x10001)
Each build contains a unique RSA-4096 keypair -- the private key stays with the operator

Encrypted file structure:

Encrypted files receive the .GNRA extension. A footer is appended containing the RSA-encrypted symmetric key in a structure marked by the ENCRT magic:

Offset  Size  Value       Meaning
0x00    5     "ENCRT"     Magic marker
0x05    3     00 00 00    Padding
0x08    4     0x80 (128)  Encrypted key block size
0x0C    4     0x01        Version/flags

Additionally, .keystore files are created containing the RSA-encrypted per-file symmetric keys.

The Fatal Flaw: Weak PRNG Destroys the Encryption

This is where Gunra's Linux variant falls apart. The Windows variant uses CryptGenRandom() -- a cryptographically secure PRNG -- to generate ChaCha20 key material. The Linux variant uses rand() from musl-libc, seeded by time().

Component	Detail
PRNG function	musl-libc `rand()` -- Linear Congruential Generator
LCG constant	`0x41C64E6D` (1,103,515,245) at binary offset `0x6c91`
LCG formula	`seed = seed * 0x41C64E6D + 12345; return (seed >> 16) & 0x7FFF`
Seed source	`time()` -- Unix timestamp in seconds
Output range	15-bit values (0-32767)
Effective keyspace	~256 possible seeds per second of encryption

This is a catastrophic implementation error. The LCG produces only 15 bits of entropy per call, and since the seed is the current Unix timestamp in seconds, the entire keyspace for a given second of encryption activity is approximately 256 values. For a realistic 1-hour encryption window, there are only ~3,600 possible seed values to test.

Recovery Procedure for Incident Responders

If your organization has been hit by the Linux variant of Gunra:

Preserve file timestamps immediately -- do not modify encrypted files. The mtime/ctime of .GNRA files narrows the seed search window
Determine the approximate encryption time from filesystem metadata, system logs, or security tool alerts
For each candidate seed value in the time window, derive the full ChaCha20 key and nonce using the same rand() sequence
Test decryption against a file with known plaintext headers (e.g., PDF magic bytes, ELF headers, Office document signatures)
The correct seed produces valid plaintext -- all other files encrypted in the same second share the same seed

The Windows variant (.ENCRT extension) uses CryptGenRandom() and is NOT vulnerable to this attack. Only .GNRA files from the Linux ELF variant are recoverable.

Behavioral Profile: What It Does on a Live System

Sandbox analysis reveals aggressive system modification beyond encryption:

Behavior	Severity
Renames 15,564 files with `.GNRA` extension	9
Deletes journal logs	7
Modifies PAM framework	7
Modifies Polkit authorization	7
Modifies sudoers policy	7
Creates/modifies cron jobs	6
Deletes log files	6
Enumerates running processes	6
Modifies init.d / rc scripts	6
Writes to system bin folder	6
Modifies Bash startup scripts	5

The binary skips critical system directories to keep the host bootable:

/proc  /bin   /usr   /boot  /dev   /etc   /lib
/lib64 /run   /sbin  /srv   /sys   /tmp

Everything else -- /home, /var, /opt, /root, /mnt, /media -- is fair game. This is data-targeted ransomware: it encrypts your files while keeping the OS functional enough for you to read the ransom note and navigate to the Tor portal.

The Ransom Note: R3ADM3.txt

Your data has been encrypted, and we have taken copies of certain sensitive files.
This encryption was carried out for financial reasons, and a payment will be required
before we can provide the tools needed to restore your data.
You will not be able to restore your data without our assistance. We can ensure full
recovery if we work together.
To show that we are able to restore your files, we can decrypt a few non-critical
files at no cost.
If we reach an agreement, we will keep all discussions private and delete the data
we took.

========================== How to Contact Us ==========================

Please download Tor Browser from the URL https://www.torproject.org/
Then install and open it.
Then connect to the URL below and log in with the given credentials.

Contact URL: http://nsnhzysbntsqdwpys6mhml33muccsvterxewh5rkbmcab7bg2ttevjqd[.]onion
Client ID: -QHJ09DEo_CE2VYlV5lRO
Initial password: 5884cabf6334c90f606cc1f68c00df04

Each build ships with a unique Client ID and password, confirming per-victim binary customization.

Build System and Multi-Architecture Targeting

The filename pattern build_<8-char-random>.bin points to an automated build pipeline that generates per-victim or per-affiliate binaries with unique RSA keypairs and negotiation credentials.

Five samples from this family have been identified:

Filename	Architecture	Size	SHA-256	First Seen
`build_Od5Qq_F4.bin`	ARM	95,892	`0909ecc86f8a89831c9c229de91b829aba6cb54685a2478f89cc04376b13488e`	2026-03-04
`build_hQN4yJ9k.bin`	ARM	87,704	`eb46dfb4f15000a7d4af040b68e541251fd5716d2a77958b471a17ce2960416f`	2026-03-04
`build_i4GM6ik5.bin`	i386	87,736	`75cb7eb79a5fa0d388547520c6c452c700d38659080be074d70395729a0b578e`	2026-03-04
`build_4vHU_eBN.bin`	x86-64	84,512	`5677dfad26045e271272bc98be2fd24e2f6d13737850ab1d9857fd58de05e9f9`	2026-03-04
`tool.exe_`	Windows PE	199,168	`6d59bb6a9874b9b03ce6ab998def5b93f68dadedccad9b14433840c2c5c3a34e`	2025-09-23

All four ELF samples appeared on the same day, suggesting either a batch build for a specific campaign or a development/testing upload by the operator. The ARM variants (two of them, at different sizes) indicate targeting of embedded Linux systems, NAS devices, or IoT infrastructure -- environments where ARM processors are dominant.

Infrastructure: 5 Tor Hidden Services

Domain	Type	First Seen	Technology
`nsnhzysbntsqdwpys6mhml33muccsvterxewh5rkbmcab7bg2ttevjqd[.]onion`	Negotiation Portal	2026-01-13	nginx
`tgsst34i6z4mwdj2kpigixxb3k3xfz7xhuqnsowvfvyu3snm6nv4s5ad[.]onion`	Data Leak Site	2026-01-13	Apache/2.4.63 (Win64)
`myeli53ogsryjg2kob4xqxtwkr5oc5zj7jr5fcfizpytwe566k5thxyd[.]onion`	DLS Mirror	2026-01-13	Apache/2.4.63 (Win64)
`6oeuvb4fq65xlrft2ezxjmkeqnu7oafbsevrr3ocer27wft6ivvhstqd[.]onion`	DLS Mirror	2026-01-13	Apache/2.4.63 (Win64)
`ryrw2ojab62yij4y33ssfgvm2d2vwt3tcqetu6qmpwznqhooqxz3wpqd[.]onion`	DLS Mirror	2026-01-13	Apache/2.4.63 (Win64)

The negotiation portal runs nginx, while the data leak site and all three mirrors run Apache 2.4.63 on Windows 64-bit with PHP 8.4.5. Running a Tor hidden service on Windows is an unusual OPSEC choice -- Windows has a larger attack surface, generates more telemetry, and is more susceptible to deanonymization techniques than a hardened Linux host. This is a potential vector for law enforcement takedown efforts.

The separation of negotiation (nginx) from data leak (Apache/Windows) infrastructure suggests two different systems or operators handling victim communication vs. public shaming.

Threat Actor OPSEC Failures

Gunra makes several operational security mistakes that reduce their effectiveness and increase their exposure:

Weak PRNG in the Linux variant -- The most damaging mistake. Using rand() seeded by time() instead of /dev/urandom or getrandom() renders the entire Linux encryption scheme breakable. This is likely a porting oversight where a developer replaced Windows-specific CryptGenRandom() calls with the first libc random function they found, without understanding the cryptographic implications.
Windows-based Tor hidden service -- The Apache/Win64 server header reveals the operating system of their data leak infrastructure. This provides law enforcement with a narrower target for deanonymization.
Same-day multi-architecture upload -- All four ELF variants hit MalwareBazaar on March 4, suggesting either automated submission (unlikely for an operator) or a testing/development workflow that leaked samples.
Consistent build naming convention -- The build_<8-char>.bin pattern is a huntable fingerprint across malware repositories and network traffic.

MITRE ATT&CK Mapping

Tactic	Technique	ID
Execution	Unix Shell	T1059.004
Persistence	Scheduled Task/Job: Cron	T1053.003
Persistence	Boot or Logon Initialization Scripts	T1037
Privilege Escalation	Abuse Elevation Control Mechanism	T1548
Defense Evasion	Obfuscated Files or Information (stripped binary)	T1027
Defense Evasion	Indicator Removal: Clear Linux or Mac System Logs	T1070.002
Defense Evasion	Modify Authentication Process: PAM	T1556.003
Discovery	File and Directory Discovery	T1083
Discovery	System Information Discovery	T1082
Impact	Data Encrypted for Impact	T1486
Impact	Internal Defacement	T1491.001

Indicators of Compromise

File Hashes (SHA-256)

5677dfad26045e271272bc98be2fd24e2f6d13737850ab1d9857fd58de05e9f9  (x86-64)
75cb7eb79a5fa0d388547520c6c452c700d38659080be074d70395729a0b578e  (i386)
eb46dfb4f15000a7d4af040b68e541251fd5716d2a77958b471a17ce2960416f  (ARM)
0909ecc86f8a89831c9c229de91b829aba6cb54685a2478f89cc04376b13488e  (ARM)
6d59bb6a9874b9b03ce6ab998def5b93f68dadedccad9b14433840c2c5c3a34e  (Windows PE)

Fuzzy Hashes

TLSH: T11C835A02B6A1C4FEC096C570879FD127AA36BC8423217A6B37A47B742F36E611F0E755
ssdeep: 1536:+Ut1Ygs3HDN8nNC55qwcOWWjVhBDy/X0IUwcKnorVV7:+QYgsXDN8N/9ObVhw00QVV7

Tor Infrastructure (Defanged)

hxxp://nsnhzysbntsqdwpys6mhml33muccsvterxewh5rkbmcab7bg2ttevjqd[.]onion
tgsst34i6z4mwdj2kpigixxb3k3xfz7xhuqnsowvfvyu3snm6nv4s5ad[.]onion
myeli53ogsryjg2kob4xqxtwkr5oc5zj7jr5fcfizpytwe566k5thxyd[.]onion
6oeuvb4fq65xlrft2ezxjmkeqnu7oafbsevrr3ocer27wft6ivvhstqd[.]onion
ryrw2ojab62yij4y33ssfgvm2d2vwt3tcqetu6qmpwznqhooqxz3wpqd[.]onion

Behavioral Indicators

R3ADM3.txt          (ransom note filename)
.GNRA               (encrypted file extension -- Linux)
.ENCRT              (encrypted file extension -- Windows)
.keystore           (RSA-encrypted key storage files)
GNRAH               (file magic header in encrypted files)
build_[A-Za-z0-9_]{8}\.bin   (build filename pattern)

Detection Opportunities

YARA Rules

rule Gunra_ELF_ChaCha20_PRNG_Weakness {
    meta:
        description = "Detects Gunra ransomware Linux ELF variant with weak PRNG"
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        tlp = "TLP:CLEAR"
        severity = "CRITICAL"
        reference = "https://intel.breakglass.tech"
    strings:
        $chacha_const1 = "expand 32-byte k" ascii
        $lcg_constant = { 6D 4E C6 41 }  // 0x41C64E6D little-endian (musl rand LCG)
        $ransom_note = "R3ADM3.txt" ascii
        $extension = ".GNRA" ascii
        $magic = "GNRAH" ascii
        $keystore = ".keystore" ascii
        $encrt_magic = "ENCRT" ascii
    condition:
        uint32(0) == 0x464C457F and  // ELF magic
        $chacha_const1 and
        $lcg_constant and
        2 of ($ransom_note, $extension, $magic, $keystore, $encrt_magic)
}

rule Gunra_ELF_Builder_Pattern {
    meta:
        description = "Detects Gunra ELF binaries by build naming and structural patterns"
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        tlp = "TLP:CLEAR"
        severity = "HIGH"
    strings:
        $note_content = "Your data has been encrypted" ascii
        $tor_instruction = "Please download Tor Browser" ascii
        $contact_url = ".onion" ascii
        $client_id = "Client ID:" ascii
        $password = "Initial password:" ascii
        $excluded1 = "/proc" ascii
        $excluded2 = "/boot" ascii
        $excluded3 = "/sbin" ascii
    condition:
        uint32(0) == 0x464C457F and
        filesize < 100KB and
        2 of ($note_content, $tor_instruction, $contact_url) and
        ($client_id or $password) and
        2 of ($excluded*)
}

Sigma Rules -- Linux Endpoint Detection

title: Gunra Ransomware File Encryption Activity
id: 8f3a1b2c-4d5e-6f7a-8b9c-0d1e2f3a4b5c
status: experimental
description: Detects Gunra ransomware file renaming pattern and ransom note creation
author: Breakglass Intelligence
date: 2026-03-09
logsource:
    product: linux
    category: file_event
detection:
    selection_extension:
        TargetFilename|endswith: '.GNRA'
    selection_note:
        TargetFilename|endswith: 'R3ADM3.txt'
    selection_keystore:
        TargetFilename|endswith: '.keystore'
    condition: selection_extension or selection_note or selection_keystore
level: critical
tags:
    - attack.impact
    - attack.t1486

title: Gunra Ransomware Defense Evasion -- Log Deletion and PAM Modification
id: 9a4b2c3d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects system modifications consistent with Gunra Linux variant
author: Breakglass Intelligence
date: 2026-03-09
logsource:
    product: linux
    category: process_creation
detection:
    selection_journal:
        CommandLine|contains:
            - 'journalctl --vacuum'
            - 'rm -rf /var/log'
    selection_pam:
        CommandLine|contains:
            - '/etc/pam.d/'
        Image|endswith:
            - '/sed'
            - '/tee'
    selection_sudoers:
        TargetFilename|contains: '/etc/sudoers'
    condition: 1 of selection_*
level: high
tags:
    - attack.defense_evasion
    - attack.t1070.002
    - attack.t1556.003

Hunting Queries

Filesystem -- hunt for encryption artifacts:

# Find Gunra ransom notes
find / -name "R3ADM3.txt" -type f 2>/dev/null

# Find encrypted files
find / -name "*.GNRA" -type f 2>/dev/null

# Find keystore files (RSA-encrypted symmetric keys)
find / -name "*.keystore" -type f 2>/dev/null

# Check for the GNRAH magic header in suspicious files
find /home /var /opt /root -type f -exec sh -c 'head -c 5 "$1" | grep -q "GNRAH" && echo "$1"' _ {} \;

Persistence -- hunt for unauthorized system modifications:

# Recent cron modifications
find /etc/cron* /var/spool/cron -mtime -7 -ls 2>/dev/null

# PAM configuration changes
find /etc/pam.d -mtime -7 -ls 2>/dev/null

# Sudoers modifications
stat /etc/sudoers /etc/sudoers.d/* 2>/dev/null

# Init script modifications
find /etc/init.d /etc/rc*.d -mtime -7 -ls 2>/dev/null

# Bash startup script modifications
find /home -name ".bashrc" -o -name ".bash_profile" -mtime -7 2>/dev/null

Network -- Suricata rules for Tor detection:

# Tor circuit establishment (generic)
alert tcp any any -> any 9001 (msg:"GUNRA Potential Tor Circuit to Negotiation Portal"; \
  flow:established,to_server; content:"|00 00|"; depth:2; \
  sid:2026030901; rev:1;)

Immediate Response Checklist

If you discover .GNRA files on your Linux infrastructure:

DO NOT reboot or modify encrypted files -- timestamps are critical for PRNG recovery
Image affected drives forensically before any remediation
Record the mtime and ctime of all .GNRA files to establish the encryption time window
Collect R3ADM3.txt for the embedded Client ID and credentials (useful for threat intelligence sharing)
Check for lateral movement: audit SSH keys, cron jobs, PAM configs, and sudoers across all Linux hosts
Contact ASEC/AhnLab for decryption guidance -- they have published prior analysis of the weak PRNG
Begin brute-force key recovery using the time-window approach described above

Published by Breakglass Intelligence. Investigation conducted 2026-03-09. 5 samples analyzed across 4 architectures. 5 Tor hidden services mapped. Weak PRNG confirmed exploitable for file recovery. Classification: TLP:CLEAR