GwisinLocker Ransomware Targets Linux Systems in South Korea

ReversingLabs researchers discovered a new ransomware family targeting Linux-based systems in South Korea.

Dubbed GwisinLocker, the malware was detected by ReversingLabs on July 19 while undertaking successful campaigns targeting firms in the industrial and pharmaceutical space.

“In those incidents, it often launched attacks on public holidays and during the early morning hours (Korean time) – looking to take advantage of periods in which staffing and monitoring within target environments were relaxed,” ReversingLabs wrote in an advisory published on Thursday.

In the document, the company claimed GwisinLocker is a new malware variant created by a previously little-known threat actor (TA) called “Gwisin” (a Korean term for ‘ghost’ or ‘spirit’).

“In communications with its victims, the Gwisin group claims to have deep knowledge of their network and claim that they exfiltrated data with which to extort the company,” ReversingLabs said.

Additionally, ransom notes associated with GwisinLocker.Linux contained detailed internal information from the compromised environment, and encrypted files used file extensions customized to use the name of the victim company. 

Regarding details of the payment system behind the ransomware, ReversingLabs said GwisinLocker.Linux victims are required to log into a portal operated by the group and establish private communications channels for completing ransom payments. 

“As a result, little is known about the payment method used and/or cryptocurrency wallets associated with the group.”

Because of familiarity with the Korean language as well as with the South Korean government and law enforcement forces, ReversingLabs said Gwisin may be a North Korean-linked advanced persistent threat (APT) group. 

“This threat should be of particular concern to industrial and pharmaceutical companies in South Korea, which account for the bulk of Gwisin’s victims to date,” ReversingLabs explained.

“However, it is reasonable to assume that this threat actor may expand its campaigns to organizations in other sectors, or even outside of South Korea.”

The security researchers concluded the advisory by warning firms concerned with GwisinLocker to review the Indicators of Compromise in the report and make them available to internal or external threat hunting teams.