GwisinLocker Ransomware Targets Linux Systems in South Korea

ReversingLabs researchers found a brand new ransomware household concentrating on Linux-based techniques in South Korea.

Dubbed GwisinLocker, the malware was detected by ReversingLabs on July 19 whereas enterprise profitable campaigns concentrating on companies within the industrial and pharmaceutical house.

“In these incidents, it usually launched assaults on public holidays and throughout the early morning hours (Korean time) – seeking to benefit from durations through which staffing and monitoring inside goal environments had been relaxed,” ReversingLabs wrote in an advisory revealed on Thursday.

Within the doc, the corporate claimed GwisinLocker is a brand new malware variant created by a beforehand little-known risk actor (TA) referred to as “Gwisin” (a Korean time period for ‘ghost’ or ‘spirit’).

“In communications with its victims, the Gwisin group claims to have deep information of their community and declare that they exfiltrated knowledge with which to extort the corporate,” ReversingLabs mentioned.

Moreover, ransom notes related to GwisinLocker.Linux contained detailed inside info from the compromised surroundings, and encrypted recordsdata used file extensions custom-made to make use of the identify of the sufferer firm. 

Concerning particulars of the cost system behind the ransomware, ReversingLabs mentioned GwisinLocker.Linux victims are required to log right into a portal operated by the group and set up personal communications channels for finishing ransom funds. 

“Consequently, little is thought in regards to the cost technique used and/or cryptocurrency wallets related to the group.”

Due to familiarity with the Korean language in addition to with the South Korean authorities and regulation enforcement forces, ReversingLabs mentioned Gwisin could also be a North Korean-linked superior persistent risk (APT) group. 

“This risk ought to be of specific concern to industrial and pharmaceutical firms in South Korea, which account for the majority of Gwisin’s victims so far,” ReversingLabs defined.

“Nevertheless, it’s affordable to imagine that this risk actor could broaden its campaigns to organizations in different sectors, and even outdoors of South Korea.”

The safety researchers concluded the advisory by warning companies involved with GwisinLocker to evaluate the Indicators of Compromise within the report and make them accessible to inside or exterior risk looking groups.