Search This Blog

GwisinLocker Ransomware Targets Linux Systems in South Korea

The ransom is associated with GwisinLocker.Linux that contains information on internal data.
ReversingLabs cyber intelligence group discovered a brand ransomware family called 'GwisinLocker'. As per the analysis, this ransomware mainly victimizes South Korea’s infrastructures such as healthcare, pharmaceutical companies, and industries with Windows and Linux encryptors, including support for encrypting VMware ESXi servers and virtual machines. 

Dubbed as GwisinLocker, the malware was first detected on July 19 by ReversingLabs cyber intelligence group. GwisinLocker is an upgraded and advanced malware variant that was created by a previously lesser-known threat actor (TA) called “Gwisin” which translates in Korean as 'ghost' or 'spirit'. Also, the hacker’s origin is unknown but as per the technical data, it appears that the hacker has a good command of the Korean language. 

“In those incidents, it often launched attacks on public holidays and during the early morning hours (Korean time) – looking to take advantage of periods in which staffing and monitoring within target environments were relaxed,” ReversingLabs wrote in an advisory published on Thursday. 

“In communications with its victims, the Gwisin group claims to have deep knowledge of their network and claim that they exfiltrated data with which to extort the company.”

“In communications with its victims, the Gwisin group claim to have deep knowledge of their network and claim that they exfiltrated data with which to extort the company. Ransom notes associated with GwisinLocker.Linux contains detailed internal information from the compromised environment. Encrypted files use file extensions customized to use the name of the victim company”, the report reads.

Regarding the information on the payment system behind the ransomware, researchers said that GwisinLocker.Linux victims called for logging into the portal run by the group and creating private communications channels for completing ransom payments. “As a result, little is known about the payment method used and/or cryptocurrency wallets associated with the group,” the researchers further added.
Share it:

Cyber Attacks

cyberwars

GwisinLocker

Ransomware

Technology Threats