ReversingLabs Uncovers New Ransomware Targeting Linux-Based Systems in South Korea
ReversingLabs researchers recently made a significant discovery, identifying a new ransomware family known as GwisinLocker that is specifically targeting Linux-based systems in South Korea. The malware was first detected on July 19 during successful campaigns aimed at industrial and pharmaceutical firms in the region.
According to ReversingLabs, GwisinLocker has been strategically launching attacks on public holidays and during early morning hours in Korean time. This timing allows the malware to exploit periods when staffing levels and monitoring within target environments are likely to be more relaxed, increasing the chances of a successful infiltration.
The advisory published by ReversingLabs revealed that GwisinLocker is a new variant of malware developed by a previously unknown threat actor referred to as “Gwisin,” which translates to ‘ghost’ or ‘spirit’ in Korean. The group behind GwisinLocker has demonstrated a deep understanding of their victims’ networks, claiming to have exfiltrated data that can be used for extortion purposes.
One notable feature of GwisinLocker is the inclusion of detailed internal information from compromised environments in the ransom notes. Additionally, encrypted files are given custom file extensions that incorporate the name of the victim company, adding a personalized touch to the attack.
Victims of GwisinLocker are instructed to log into a portal operated by the threat actor to establish private communication channels for ransom payments. The specific payment method and cryptocurrency wallets associated with the group remain largely unknown, making it challenging for authorities to track and combat the ransomware operations effectively.
Given the group’s apparent familiarity with the Korean language, South Korean government, and law enforcement agencies, ReversingLabs speculates that Gwisin may have ties to North Korean-linked advanced persistent threat (APT) groups. Industrial and pharmaceutical companies in South Korea have been the primary targets of GwisinLocker thus far, but there is a concern that the threat actor may expand their campaigns to other sectors or even outside of the country.
In light of these developments, ReversingLabs advises organizations concerned about GwisinLocker to review the Indicators of Compromise provided in the report and share them with internal or external threat hunting teams. Vigilance and proactive security measures are essential to mitigate the risks posed by this emerging ransomware threat.