- The newest Echo Show 8 just hit its lowest price ever for Black Friday
- 기술 기업 노리는 북한의 가짜 IT 인력 캠페인··· 데이터 탈취도 주의해야
- 구글 클라우드, 구글 워크스페이스용 제미나이 사이드 패널에 한국어 지원 추가
- The best MagSafe accessories of 2024: Expert tested and reviewed
- Threads will show you more from accounts you follow now - like Bluesky already does
GwisinLocker Ransomware Targets Linux Systems in South Korea
ReversingLabs researchers discovered a new ransomware family targeting Linux-based systems in South Korea.
Dubbed GwisinLocker, the malware was detected by ReversingLabs on July 19 while undertaking successful campaigns targeting firms in the industrial and pharmaceutical space.
“In those incidents, it often launched attacks on public holidays and during the early morning hours (Korean time) – looking to take advantage of periods in which staffing and monitoring within target environments were relaxed,” ReversingLabs wrote in an advisory published on Thursday.
In the document, the company claimed GwisinLocker is a new malware variant created by a previously little-known threat actor (TA) called “Gwisin” (a Korean term for ‘ghost’ or ‘spirit’).
“In communications with its victims, the Gwisin group claims to have deep knowledge of their network and claim that they exfiltrated data with which to extort the company,” ReversingLabs said.
Additionally, ransom notes associated with GwisinLocker.Linux contained detailed internal information from the compromised environment, and encrypted files used file extensions customized to use the name of the victim company.
Regarding details of the payment system behind the ransomware, ReversingLabs said GwisinLocker.Linux victims are required to log into a portal operated by the group and establish private communications channels for completing ransom payments.
“As a result, little is known about the payment method used and/or cryptocurrency wallets associated with the group.”
Because of familiarity with the Korean language as well as with the South Korean government and law enforcement forces, ReversingLabs said Gwisin may be a North Korean-linked advanced persistent threat (APT) group.
“This threat should be of particular concern to industrial and pharmaceutical companies in South Korea, which account for the bulk of Gwisin’s victims to date,” ReversingLabs explained.
“However, it is reasonable to assume that this threat actor may expand its campaigns to organizations in other sectors, or even outside of South Korea.”
The security researchers concluded the advisory by warning firms concerned with GwisinLocker to review the Indicators of Compromise in the report and make them available to internal or external threat hunting teams.