GwisinLocker ransomware exclusively targets South Korea

Researchers spotted a new family of ransomware, named GwisinLocker, that encrypts Windows and Linux ESXi servers.

Researchers warn of a new ransomware called GwisinLocker which is able to encrypt Windows and Linux ESXi servers. The ransomware targets South Korean healthcare, industrial, and pharmaceutical companies, its name comes from the name of the author ‘Gwisin’ (ghost in Korean).

The ransomware is distributed through targeted attacks against specific organizations. 

Experts also reported that the names of South Korean entities, such as the Korean police, the National Intelligence Service, and KISA, are listed on the ransom note.

The Gwisin threat actor hit Korean companies on public holidays and early in the morning according to local media.

The attack chain on Windows systems leverages MSI installer and requires a special value as an argument to run the DLL file included in the MSI.

“It is similar to Magniber in that it operates in the MSI installer form. Yet unlike Magniber which targets random individuals, Gwisin does not perform malicious behaviors on its own, requiring a special value for the execution argument. The value is used as key information to run the DLL file included in the MSI.” reads the report published by security firm Ahnlab. “As such, the file alone does not perform ransomware activities on security products of various sandbox environments, making it difficult to detect Gwisin. The ransomware’s internal DLL operates by being injected into a normal Windows process. The process is different for each infected company.”

The GwisinLocker ransomware is able to operate in safe mode, it first copies itself to a certain path of ProgramData and then is registered as a service before forcing a system reboot.

Researchers from Reversinglabs analyzed the Linux version of the ransomware, they pointed out that it is a sophisticated piece of malware with features specially designed to manage Linux hosts and targets VMWare ESXI virtual machines. GwisinLocker combines AES symmetric-key encryption with SHA256 hashing, it generated a unique key for each file. 

The victims of the Linux GwisinLocker variant are required to log into a portal operated by the group to get in contact with the crooks.  

“Analysis and public reporting of the larger GwisinLocker campaign suggests the ransomware is in the hands of sophisticated threat actors who gain access to- and control over target environments prior to the deployment of the ransomware. That includes identifying and stealing sensitive data for use in so-called “double extortion” campaigns.” concludes the report published by Reversinglabs. “Details in samples of the group’s ransom notes suggest a familiarity with the Korean language as well as South Korean government and law enforcement. This has led to speculation that Gwisin may be a North Korean-linked advanced persistent threat (APT) group”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, GwisinLocker ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]