ReversingLabs researchers have recently uncovered a new ransomware family that is targeting Linux-based systems specifically in South Korea. This new malware, named GwisinLocker, was first detected on July 19th during successful campaigns aimed at industrial and pharmaceutical firms in the region.
According to a recent advisory published by ReversingLabs, GwisinLocker has been strategically launching attacks on public holidays and during the early morning hours in Korean time. This timing is chosen to take advantage of periods when staffing and monitoring within target environments are typically relaxed.
The creators of GwisinLocker, a threat actor group known as “Gwisin,” have been actively communicating with their victims. They claim to have extensive knowledge of the victim’s network and have allegedly exfiltrated data in order to extort the company. Ransom notes associated with GwisinLocker.Linux contain detailed internal information from the compromised environment, with encrypted files using custom file extensions that include the name of the victim company.
In terms of the ransom payment process, victims of GwisinLocker.Linux are required to log into a portal operated by the group to establish private communication channels for completing the ransom payments. The specifics of the payment method and cryptocurrency wallets used by the group remain largely unknown.
Given their familiarity with the Korean language and potential connections to North Korea, ReversingLabs suggests that Gwisin may be linked to an advanced persistent threat (APT) group. Industrial and pharmaceutical companies in South Korea are particularly at risk, as they have been the primary targets of Gwisin’s campaigns thus far. However, there is a possibility that this threat actor may expand their attacks to organizations in other sectors or even outside of South Korea.
In conclusion, ReversingLabs advises firms concerned about GwisinLocker to review the Indicators of Compromise provided in their report and share them with internal or external threat hunting teams. Vigilance and proactive measures are crucial in combating the threat posed by GwisinLocker and similar ransomware attacks.