{"id":7231,"date":"2022-08-06T20:19:55","date_gmt":"2022-08-06T11:19:55","guid":{"rendered":"https:\/\/cyberenso.jp\/?p=7231"},"modified":"2022-08-23T20:23:53","modified_gmt":"2022-08-23T11:23:53","slug":"new-gwisinlocker-ransomware-can-target-and-encrypt-windows-and-linux-esxi-servers","status":"publish","type":"post","link":"https:\/\/cyberenso.jp\/en\/new-gwisinlocker-ransomware-can-target-and-encrypt-windows-and-linux-esxi-servers\/","title":{"rendered":"New GwisinLocker ransomware can target and encrypt Windows and Linux ESXi servers"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"7231\" class=\"elementor elementor-7231\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-808d139 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"808d139\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-c1224e4\" data-id=\"c1224e4\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-2728a4c elementor-widget elementor-widget-text-editor\" data-id=\"2728a4c\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>This week, cybersecurity researchers at Ahnlab and ReversingLabs released reports on the new ransomware family called &#8216;GwisinLocker&#8217; which has been seen targetting South Korean healthcare, industrial, and pharmaceutical companies with Windows and Linux encryptors. The reports also highlighted that these encryptors have support for encrypting VMware ESXi servers and virtual machines as well as using AES symmetric-key encryption with SHA256 hashing to encrypt the target\u2019s devices.<\/p><p>The new ransomware is the product of a lesser-known threat actor dubbed Gwisin, which means &#8220;ghost&#8221; in Korean. Even though the origin of the threat actor is unknown, it does appear that the threat actor has a good knowledge of the Korean language. Additionally, attacks by this threat actor commonly coincided with Korean public holidays and occurred during early morning hours, which is a good indicator that the threat actor has culture and corporate knowledge of south Korea\u2019s corporate world.<\/p><p>For encrypting Windows devices, the infection begins with the execution of an MSI installer file, which requires special command line arguments to properly load the embedded DLL that acts as the ransomware encryptor.<\/p><p>For the Linux devices, the encryptor focuses strongly on encrypting VMware ESXi virtual machines, including two command-line arguments that control how the Linux encryptor will encrypt virtual machines.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>This week, cybersecurity researchers at Ahnlab and ReversingLabs released reports on the new ransomware family called &#8216;GwisinLocker&#8217; which has been seen targetting South Korean healthcare, industrial, and pharmaceutical companies with Windows and Linux encryptors. The reports also highlighted that these encryptors have support for encrypting VMware ESXi servers and virtual machines as well as using AES symmetric-key encryption with SHA256<span class=\"excerpt-hellip\"> [\u2026]<\/span><\/p>\n","protected":false},"author":1,"featured_media":7236,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,12,9,2,7,1],"tags":[],"class_list":["post-7231","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-latest_news","category-read_article","category-ransomware_criminals","category-ce_news","category-by_country","category-uncategorized"],"acf":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/cyberenso.jp\/wp-content\/uploads\/2022\/08\/Picture1-4.jpg?fit=1375%2C917&ssl=1","_links":{"self":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/posts\/7231"}],"collection":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/comments?post=7231"}],"version-history":[{"count":6,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/posts\/7231\/revisions"}],"predecessor-version":[{"id":7239,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/posts\/7231\/revisions\/7239"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/media\/7236"}],"wp:attachment":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/media?parent=7231"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/categories?post=7231"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/tags?post=7231"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}