GwisinLocker Ransomware Exclusively Targets South Korea

Researchers warn of a new ransomware called GwisinLocker which can encrypt Windows and Linux ESXi servers. The ransomware targets South Korean healthcare, industrial, and pharmaceutical companies. Its name comes from the name of the author ‘Gwisin’.

The threat actors distributed the ransomware through attacks against specific organizations. Experts also reported that the names of South Korean entities, such as the Korean police, the National Intelligence Service, and KISA, are listed on the ransom note.

The Gwisin threat actor hit Korean companies on public holidays and early in the morning, according to local media. The attack chain on Windows systems leverages the MSI installer and requires a special value as an argument to run the DLL file included in the MSI.

GwisinLocker was Similar to Magniber

Ahnlab security firm says it is similar to Magniber in that it operates in the MSI installer form. Unlike Magniber, which targets random individuals, Gwisin does not perform malicious behavior on its own but requires a special value for the execution argument.

It uses this value as key information to run the DLL file included in the MSI. As such, the file alone does not perform ransomware activities on security products in various sandbox environments, making it difficult to detect Gwisin.

For the ware to work, the hacker must inject it into a normal windows process. The ransomware adapts to different forms on each attack.

Analytical Findings on Malware

ReversingLabs analyzed the Linux version of the ransomware. They pointed out that the engineers designed this sophisticated piece of malware with features to manage Linux hosts and targets VMWare ESXi virtual machines.

GwisinLocker combines AES symmetric-key encryption with SHA256 hashing, it generated a unique key for each file. Victims of the Linux GwisinLocker variant must log into a portal operated by the group to get in contact with the crooks.