Saturday, January 28, 2023
  • Events
  • Interviews
  • Jobs
  • Opinion
  • Whitepapers
  • Glossary
  • Community Forum
  • Web Hosting Directory
  • Login
  • Register
Cloud7 News
  • Cloud Computing
  • Web Hosting
  • Data Center
  • Linux
  • Cybersecurity
  • More
    • Network/Internet
    • Windows
    • Software
    • Hardware
    • Blockchain
    • Policy/Legislation
    • How-Tos
    • Troubleshooting
No Result
View All Result
Cloud7 News
  • Cloud Computing
  • Web Hosting
  • Data Center
  • Linux
  • Cybersecurity
  • More
    • Network/Internet
    • Windows
    • Software
    • Hardware
    • Blockchain
    • Policy/Legislation
    • How-Tos
    • Troubleshooting
No Result
View All Result
Cloud7 News
No Result
View All Result

Home > Cybersecurity > GwisinLocker ransomware targeting Windows and Linux ESXi servers

GwisinLocker ransomware targeting Windows and Linux ESXi servers

Multiple cyber security researchers pinpoint a new ransomware family, named GwisinLocker, that targets South Korean organizations.


Erdem Yasar Erdem Yasar
August 8, 2022
3 min read
GwisinLocker ransomware targeting Windows and Linux ESXi servers
  • The Gwisin group was first referred to in a ransomware report published in the third quarter of 2021 but they stayed low-profile until then.
  • The group is exclusively targetting South Korean organizations, primarily healthcare and pharmaceutical organizations.
  • According to the reports, most of the attacks were launched during public holidays or in the early hours of the morning in South Korea.

Korean cyber security company Ahnlab and researchers of ReversingLabs shared details of a new emerging threat. The new ransomware family is called GwisinLocker, also referred to as Gwisin, which means “ghost” or “spirit” in Korean. The origin is still unknown but it appears to know Korean culture and business routines, scheduling its attacks on the country’s public holidays and early morning hours. The ransomware family attacks both Windows and Linux systems, with capabilities to encrypt virtual machines and VMware ESXi servers.

Focusing on healthcare and pharmaceutical organizations

According to the ReversingLabs’ report, GwisinLocker is mainly targeting South Korean industrial and pharmaceutical firms. It is a new variant produced by a relatively low-profile threat actor, Gwisin. It was first referenced in a report in the third quarter of 2021. ReversingLabs discovered an undetected Linux ransomware sample on July 19th and named the version they found GwisinLocker.Linux, not to be confused with the Windows version.

GwisinLocker encrypts files by using the extension .mcrgnx. The file’s corresponding key is stored in a separate 256-byte file, which also has the same extension. It uses AES to encrypt files to hide the key to prevent convenient decryption. It uses a combination of AES symmetric-key encryption with SHA256 hashing, generating a unique key for each file. According to the reports, compromised endpoints are renamed GWISIN Ghost.

ReversingLabs also stated that the group is only targeting South Korean organizations and launching their attacks during public holidays or early hours in the morning in South Korea. The group also claims that they have a deep knowledge of the victim’s network and they exfiltrated the data. ReversingLabs said,

« Analysis and public reporting of the larger GwisinLocker campaign suggests the ransomware is in the hands of sophisticated threat actors who gain access to and control over target environments prior to the deployment of the ransomware. That includes identifying and stealing sensitive data for use in so-called “double extortion” campaigns. Details in samples of the group’s ransom notes suggest a familiarity with the Korean language as well as South Korean government and law enforcement. This has led to speculation that Gwisin may be a North Korean-linked advanced persistent threat (APT) group. »

Ahnlab also published a report on the Windows version of the ransomware family. The researchers stated that it operates in the MSI installer form, which includes the DLL file. It is harder to detect Gwisin because the file alone doesn’t perform ransomware activities on security products of sandbox environments. The internal DLL operates by being injected into a normal Windows process and it is different for each company.

MSI file calls the export function from the ransomware DLL. The function checks the execution argument, if it is abnormal it doesn’t operate. If it is installed to operate on safe mode, it copies itself to a certain path of ProgramData and is registered as a service. After the system is rebooted in safe mode, it starts encrypting files and changes the extensions. Ahnlab said,

« Because the ransomware is installed and executed in various systems after dominating the internal system, companies must analyze how the infection happened in the first place. If the cause of the infection cannot be analyzed after a breach had occurred, another ransomware may infect the system in the future and cause a similar incident. »

See more Cybersecurity News


Tags: LinuxRansomwareVMwareWindows
Erdem Yasar

Erdem Yasar

Erdem Yasar is a news editor at Cloud7 News. Erdem started his career by writing video game reviews in 2007 for PC World magazine while he was studying computer engineering. In the following years, he focused on software development with various programming languages. After his graduation, he continued to work as an editor for several major tech-related websites and magazines. During the 2010s, Erdem Yasar shifted his focus to cloud computing, hosting, and data centers as they were becoming more popular topics in the tech industry. Erdem Yasar also worked with various industry-leading tech companies as a content creator by writing blog posts and other articles. Prior to his role at Cloud7 News, Erdem was the managing editor of T3 Magazine.

Next Post
SK Hynix developed the industry’s highest stacked NAND Flash chip

SK Hynix developed the industry’s highest stacked NAND Flash chip

Related News

Thoma Bravo to acquire Magnet Forensics

Thoma Bravo to acquire Magnet Forensics

January 26, 2023 1:10 pm
LastPass faces yet another security incident

LastPass publishes an update on the November 2022 security incident

January 25, 2023 6:35 pm
VMware vRealize updates addressing security flaws

VMware fixes critical vRealize Log Insight security flaws

January 25, 2023 3:30 pm
Riot Games faces security breach

Riot Games faces a security breach

January 25, 2023 2:15 pm
Get free daily newsletters from Cloud7 News Get the Cloud7 Newsletter
Select list(s):

Check your inbox or spam folder to confirm your subscription.

By subscribing, you agree to our
Copyright Policy and Privacy Policy

Get the free newsletter

Subscribe to receive the latest IT business updates straight to your inbox.

Select list(s):

Check your inbox or spam folder to confirm your subscription.

Editor's Choice

What’s new in Linux kernel 6.2 rc5?

10 Best Web Hosting Services of 2023

Ubuntu 22.04 LTS is available for download. What is new?

CERN and Fermilab recommend AlmaLinux

7 best hosting control panels of 2023

How to update Linux Kernel without rebooting?

7 best Linux mail servers of 2023

7 best cPanel alternatives for 2023

7 best Linux web browsers for 2023

7 best CentOS alternatives

7 best Linux server distros of 2023

Interview with Igor Seletskiy on AlmaLinux

How to create a VM and install a Linux distro on VMware Workstation

Recent News

  • Weekly round-up: 23 – 27 January
  • Interview: Orly Izhaki, General Manager of Wix Restaurants
  • What is ChatGPT? Everything you need to know
  • What is cloud orchestration?
  • Cloud7 Expert Series: Emre Baran from Cerbos

Cloud7 News
Cloud7 is a news source that publishes the latest news, reviews, comparisons, opinions, and exclusive interviews to help tech users of high-experience levels in the IT industry.

EXPLORE

  • Web Hosting
  • Cloud Computing
  • Data Center
  • Cybersecurity
  • Linux
  • Network/Internet
  • Software
  • Hardware
  • How-Tos
  • Troubleshooting

RESOURCES

  • Events
  • Interviews
  • Jobs
  • Opinion
  • Whitepapers
  • Glossary
  • Community Forum
  • Web Hosting Directory

Get the Cloud7 Newsletter

Get FREE daily newsletters from Cloud7 delivering the latest news and reviews.

  • About
  • Privacy & Policy
  • Copyright Policy
  • Contact

© 2022, Cloud7 News. All rights reserved.

No Result
View All Result
  • Cloud Computing
  • Web Hosting
  • Data Center
  • Linux
  • Cybersecurity
  • More
    • Network/Internet
    • Windows
    • Software
    • Hardware
    • Blockchain
    • Policy/Legislation
    • How-Tos
    • Troubleshooting
  • Events
  • Interviews
  • Jobs
  • Opinion
  • Whitepapers
  • Glossary
  • Community Forum
  • Web Hosting Directory

© 2022, Cloud7 News. All rights reserved.

Welcome Back!

Sign In with Facebook
Sign In with Google
Sign In with Linked In
OR

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Sign Up with Facebook
Sign Up with Google
Sign Up with Linked In
OR

Fill the forms below to register

*By registering into our website, you agree to the Terms & Conditions and Privacy Policy.
All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.