- The Gwisin group was first referred to in a ransomware report published in the third quarter of 2021 but they stayed low-profile until then.
- The group is exclusively targetting South Korean organizations, primarily healthcare and pharmaceutical organizations.
- According to the reports, most of the attacks were launched during public holidays or in the early hours of the morning in South Korea.
Korean cyber security company Ahnlab and researchers of ReversingLabs shared details of a new emerging threat. The new ransomware family is called GwisinLocker, also referred to as Gwisin, which means “ghost” or “spirit” in Korean. The origin is still unknown but it appears to know Korean culture and business routines, scheduling its attacks on the country’s public holidays and early morning hours. The ransomware family attacks both Windows and Linux systems, with capabilities to encrypt virtual machines and VMware ESXi servers.
Focusing on healthcare and pharmaceutical organizations
According to the ReversingLabs’ report, GwisinLocker is mainly targeting South Korean industrial and pharmaceutical firms. It is a new variant produced by a relatively low-profile threat actor, Gwisin. It was first referenced in a report in the third quarter of 2021. ReversingLabs discovered an undetected Linux ransomware sample on July 19th and named the version they found GwisinLocker.Linux, not to be confused with the Windows version.
GwisinLocker encrypts files by using the extension .mcrgnx. The file’s corresponding key is stored in a separate 256-byte file, which also has the same extension. It uses AES to encrypt files to hide the key to prevent convenient decryption. It uses a combination of AES symmetric-key encryption with SHA256 hashing, generating a unique key for each file. According to the reports, compromised endpoints are renamed GWISIN Ghost.
ReversingLabs also stated that the group is only targeting South Korean organizations and launching their attacks during public holidays or early hours in the morning in South Korea. The group also claims that they have a deep knowledge of the victim’s network and they exfiltrated the data. ReversingLabs said,
« Analysis and public reporting of the larger GwisinLocker campaign suggests the ransomware is in the hands of sophisticated threat actors who gain access to and control over target environments prior to the deployment of the ransomware. That includes identifying and stealing sensitive data for use in so-called “double extortion” campaigns. Details in samples of the group’s ransom notes suggest a familiarity with the Korean language as well as South Korean government and law enforcement. This has led to speculation that Gwisin may be a North Korean-linked advanced persistent threat (APT) group. »
Ahnlab also published a report on the Windows version of the ransomware family. The researchers stated that it operates in the MSI installer form, which includes the DLL file. It is harder to detect Gwisin because the file alone doesn’t perform ransomware activities on security products of sandbox environments. The internal DLL operates by being injected into a normal Windows process and it is different for each company.
MSI file calls the export function from the ransomware DLL. The function checks the execution argument, if it is abnormal it doesn’t operate. If it is installed to operate on safe mode, it copies itself to a certain path of ProgramData and is registered as a service. After the system is rebooted in safe mode, it starts encrypting files and changes the extensions. Ahnlab said,
« Because the ransomware is installed and executed in various systems after dominating the internal system, companies must analyze how the infection happened in the first place. If the cause of the infection cannot be analyzed after a breach had occurred, another ransomware may infect the system in the future and cause a similar incident. »