GwisinLocker New Ransomware

A new ransomware family has been discovered by ReversingLabs’ cybersecurity analysts, which targets specifically Linux-based systems using a range of encryption methods. GwisinLocker is the malware responsible for the attack.

The GwisinLocker ransomware is one of the latest types of ransomware targeting South Korean companies in industries and pharmaceuticals.

In addition to being an entirely new malware variant, it is notable for the fact that it was produced by a threat actor that had been little known previously. 

It is specially designed to target systems that are running the open-source Linux OS, and not only that even it also supports encrypting VMware ESXi servers and VMs. As a result of a significant network compromise, ransomware has been deployed and data has been compromised and exfiltrated.

In the early morning hours, the attacks took place during Korean public holidays. Therefore, Gwisin has a thorough understanding of the cultural and business practices in the country.

Targets Windows and Linux ESXi Servers

Late last month, when the threat actor compromised large pharmaceutical companies in South Korea, information on Gwisin and its activities began to appear in South Korean media outlets.

During the encryption process, GwisinLocker encrypts the device with the use of an MSI file that is executed when the infection begins. 

The embedded DLL that acts as the ransomware encryptor needs certain command line arguments that need to be added to the command line to properly load it.

Security researchers find it more difficult to analyze ransomware when it requires command-line arguments. A Windows process will be decrypted and its internal DLL injected into it so that it will evade detection by anti-virus software when the proper command-line arguments are supplied.

It is also possible to configure the ransomware to run in safe mode by explicitly specifying a safe mode argument in the configuration file.

ESXi virtual machines are the main focus of the encryptor, which includes two command-line arguments that allow the encryptor to encrypt these virtual machines. 

By using this parameter, the Linux virtual machine encryption tool is able to control the way virtual machines are encrypted.

Ransom Note

Each encryptor is customized for every single OS targeted in the attack, regardless of which ones are targeted in the attack. As a result of their customization, they meet the following requirements:- 

In the ransom note, the name of the company is included.

The names of encrypted files are always preceded by a unique extension.

As part of the ransom note, you will find the following type of names:-

  • ‘!!!_HOW_TO_UNLOCK_[company_name]_FILES_!!!.TXT’

The ransom notes clearly warn that South Korean law enforcement agencies and KISA should not be contacted by victims, and the ransom notes were written in English.

In order to restore files, victims were instructed that they must use the Tor browser to access an onion address provided by the operators, login, and pay the ransom.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.