This week, cybersecurity researchers at Ahnlab and ReversingLabs released reports on the new ransomware family called ‘GwisinLocker’ which has been seen targetting South Korean healthcare, industrial, and pharmaceutical companies with Windows and Linux encryptors. The reports also highlighted that these encryptors have support for encrypting VMware ESXi servers and virtual machines as well as using AES symmetric-key encryption with SHA256 hashing to encrypt the target’s devices.
The new ransomware is the product of a lesser-known threat actor dubbed Gwisin, which means “ghost” in Korean. Even though the origin of the threat actor is unknown, it does appear that the threat actor has a good knowledge of the Korean language. Additionally, attacks by this threat actor commonly coincided with Korean public holidays and occurred during early morning hours, which is a good indicator that the threat actor has culture and corporate knowledge of south Korea’s corporate world.
For encrypting Windows devices, the infection begins with the execution of an MSI installer file, which requires special command line arguments to properly load the embedded DLL that acts as the ransomware encryptor.
For the Linux devices, the encryptor focuses strongly on encrypting VMware ESXi virtual machines, including two command-line arguments that control how the Linux encryptor will encrypt virtual machines.
© 2021 CyberEnsō – Nihon Cyber Defence Co., Ltd. All Rights Reserved.