Cyber Crime

GwisinLocker ransomware exclusively targets South Korea

Researchers spotted a new family of ransomware, named GwisinLocker, that encrypts Windows and Linux ESXi servers.

Researchers warn of a new ransomware called GwisinLocker which is able to encrypt Windows and Linux ESXi servers. The ransomware targets South Korean healthcare, industrial, and pharmaceutical companies, its name comes from the name of the author ‘Gwisin’ (ghost in Korean).

The ransomware is distributed through targeted attacks against specific organizations. 

Experts also reported that the names of South Korean entities, such as the Korean police, the National Intelligence Service, and KISA, are listed on the ransom note.

The Gwisin threat actor hit Korean companies on public holidays and early in the morning according to local media.

The attack chain on Windows systems leverages MSI installer and requires a special value as an argument to run the DLL file included in the MSI.

“It is similar to Magniber in that it operates in the MSI installer form. Yet unlike Magniber which targets random individuals, Gwisin does not perform malicious behaviors on its own, requiring a special value for the execution argument. The value is used as key information to run the DLL file included in the MSI.” reads the report published by security firm Ahnlab. “As such, the file alone does not perform ransomware activities on security products of various sandbox environments, making it difficult to detect Gwisin. The ransomware’s internal DLL operates by being injected into a normal Windows process. The process is different for each infected company.”

The GwisinLocker ransomware is able to operate in safe mode, it first copies itself to a certain path of ProgramData and then is registered as a service before forcing a system reboot.

GwisinLockerGwisinLocker
Source Ahnlab

Researchers from Reversinglabs analyzed the Linux version of the ransomware, they pointed out that it is a sophisticated piece of malware with features specially designed to manage Linux hosts and targets VMWare ESXI virtual machines. GwisinLocker combines AES symmetric-key encryption with SHA256 hashing, it generated a unique key for each file. 

The victims of the Linux GwisinLocker variant are required to log into a portal operated by the group to get in contact with the crooks.  

“Analysis and public reporting of the larger GwisinLocker campaign suggests the ransomware is in the hands of sophisticated threat actors who gain access to- and control over target environments prior to the deployment of the ransomware. That includes identifying and stealing sensitive data for use in so-called “double extortion” campaigns.” concludes the report published by Reversinglabs. “Details in samples of the group’s ransom notes suggest a familiarity with the Korean language as well as South Korean government and law enforcement. This has led to speculation that Gwisin may be a North Korean-linked advanced persistent threat (APT) group”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, GwisinLocker ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Paraguay Suffered Data Breach: 7.4 Million Citizen Records Leaked on Dark Web

Resecurity researchers found 7.4 million records containing personally identifiable information (PII) of Paraguay citizens on…

7 hours ago

Apple confirmed that Messages app flaw was actively exploited in the wild<gwmw style="display: none; background-color: transparent;"></gwmw>

Apple confirmed that a security flaw in its Messages app was actively exploited in the…

14 hours ago

Trend Micro fixes critical bugs in Apex Central and TMEE PolicyServer

Trend Micro fixed multiple vulnerabilities that impact its Apex Central and Endpoint Encryption (TMEE) PolicyServer…

17 hours ago

Paragon Graphite Spyware used a zero-day exploit to hack at least two journalists’ iPhones<gwmw style="display:none;"></gwmw><gwmw style="display:none;"></gwmw>

Security researchers at Citizen Lab revealed that Paragon's Graphite spyware can hack fully updated iPhones…

1 day ago

SinoTrack GPS device flaws allow remote vehicle control and location tracking

Two vulnerabilities in SinoTrack GPS devices can allow remote vehicle control and location tracking by…

2 days ago