Several sectors in South Korea, including industrial, healthcare, and pharmaceutical institutions, are the recent targets of a new ransomware strain dubbed GwisinLocker. Reports explain that the new ransomware attacks those under these sectors’ Windows and Linux OS computers.
Security analysts are convinced that the threat operators behind the ransomware are Korean entities, given their strong knowledge of the Korean language – including how the malware’s name, Gwisin, means ‘ghost’ in Korean.
In late July, GwisinLocker had made headlines following attacks against South Korean pharmaceutical companies.
Based on observations, the new GwisinLocker ransomware mainly targets companies’ Windows devices. First, an MSI installer file will be launched on a targeted device with special command-line arguments to help load the embedded DLL or the ransomware encryptor.
These command-line arguments create a defensive barrier for the ransomware to be harder to be analysed. The injected internal DLL into the operating system will also help the operators evade being detected by anti-virus tools.
GwisinLocker’s configuration may sometimes incorporate a separate argument that will begin an operation under a safe mode. In enabling this configuration, the ransomware will make a copy of itself to a ProgramData subfolder. Then, it will register itself as a service before forcing a computer reboot while in safe mode.
In separate analyses, researchers found that the GwisinLocker also targets computers in the Linux OS. In this version, the ransomware will focus on encrypting VMware ESXi virtual machines using two command-line arguments that will direct how these VMs will be encrypted.
Researchers underline that regardless of the victim’s operating system, the encryptors used in the attacks are customised to mention the targeted company’s name in the ransom note and to attach a unique extension for the file names of the encrypted data.
For instance, a reported victim shared the ransom note on their compromised device, which displayed a customised message from the threat operators, mentioning the specific data stolen during the attack. The victims are also warned not to contact any South Korean authorities.
The mentioned targeted sectors of this new ransomware strain are advised to strengthen their security more while they have yet to be attacked.