Highly disruptive cyberattack hits German Chambers of Industry and Commerce
August 4, 2022
7-Eleven Denmark confirms store closures as a result of a ransomware attack
August 10, 2022

New GwisinLocker ransomware can target and encrypt Windows and Linux ESXi servers

This week, cybersecurity researchers at Ahnlab and ReversingLabs released reports on the new ransomware family called ‘GwisinLocker’ which has been seen targetting South Korean healthcare, industrial, and pharmaceutical companies with Windows and Linux encryptors. The reports also highlighted that these encryptors have support for encrypting VMware ESXi servers and virtual machines as well as using AES symmetric-key encryption with SHA256 hashing to encrypt the target’s devices.

The new ransomware is the product of a lesser-known threat actor dubbed Gwisin, which means “ghost” in Korean. Even though the origin of the threat actor is unknown, it does appear that the threat actor has a good knowledge of the Korean language. Additionally, attacks by this threat actor commonly coincided with Korean public holidays and occurred during early morning hours, which is a good indicator that the threat actor has culture and corporate knowledge of south Korea’s corporate world.

For encrypting Windows devices, the infection begins with the execution of an MSI installer file, which requires special command line arguments to properly load the embedded DLL that acts as the ransomware encryptor.

For the Linux devices, the encryptor focuses strongly on encrypting VMware ESXi virtual machines, including two command-line arguments that control how the Linux encryptor will encrypt virtual machines.

Leave a Reply

Your email address will not be published. Required fields are marked *