Daily Tech News, Interviews, Reviews and Updates

Researchers are warning about GwisinLocker, a new ransomware that may lock ESXi hosts running Linux and Windows

Researchers are warning about GwisinLocker, a new ransomware that may lock ESXi hosts running Linux and Windows. The ransomware specifically targets South Korean pharmaceutical, industrial, and healthcare companies; its name is derived from the author’s pen name “Gwisin” (ghost in Korean).

Targeted attacks on certain companies are used to spread ransomware. Experts claim that the ransom message contains the names of South Korean organizations such as the National Intelligence Service, KISA, and the Korean police. The Gwisin threat actor allegedly targeted Korean businesses around the holidays and extremely early in the morning. To run the DLL file included in the MSI, the attack chain on Windows systems uses the MSI installer and necessitates the use of a specific value as an argument.

It operates in a similar way to Magniber’s MSI installation. Gwisin does not automatically engage in destructive behavior, in contrast to Magniber, which targets random individuals; instead, it requires a specified value for the execution argument. The value is important information needed to launch the DLL file included in the MSI. According to a report by the security firm Ahnlab. Because the file by itself does not perform ransomware actions on security software from various sandbox environments, it is difficult to recognize Gwisin. The malware’s internal DLL works by inserting itself into a regular Windows process. Every affected organization experiences a unique process.

The GwisinLocker ransomware can operate in safe mode; to achieve this, it copies itself to a specific area in ProgramData, registers as a service, and then requests a system restart. Researchers from Reversinglabs examined the Linux ransomware and found that it is a sophisticated piece of malware that targets VMware ESXI virtual machines and is equipped to handle Linux hosts. GwisinLocker combines SHA256 hashing and AES symmetric-key encryption to produce a unique key for each file.

Victims of the Linux GwisinLocker variant must log in to a portal provided by the organization to contact the criminals. “The GwisinLocker ransomware is in the hands of skilled threat actors who have already achieved access to and control over the target environments, according to analysis and public reporting of the larger GwisinLocker campaign. This entails tracking down and stealing private data to be used in purported “double extortion” operations. Reversinglabs’ report concludes.” Examples of the group’s ransom notes contain details that suggest they are familiar with South Korean law enforcement and the Korean language. This has increased the likelihood that Gwisin is a group that poses an advanced persistent threat (APT) and has connections to North Korea.

Get real time updates directly on you device, subscribe now.



You might also like