GwisinLocker Ransomware Targets Linux Systems in South Korea

by admin 0 Comments

Security
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

ReversingLabs researchers discovered a new ransomware family targeting Linux-based systems in South Korea.

Dubbed GwisinLocker, the malware was detected by ReversingLabs on July 19 while undertaking successful campaigns targeting firms in the industrial and pharmaceutical space.

“In those incidents, it often launched attacks on public holidays and during the early morning hours (Korean time) – looking to take advantage of periods in which staffing and monitoring within target environments were relaxed,” ReversingLabs wrote in an advisory published on Thursday.

In the document, the company claimed GwisinLocker is a new malware variant created by a previously little-known threat actor (TA) called “Gwisin” (a Korean term for ‘ghost’ or ‘spirit’).

“In communications with its victims, the Gwisin group claims to have deep knowledge of their network and claim that they exfiltrated data with which to extort the company,” ReversingLabs said.

Additionally, ransom notes associated with GwisinLocker.Linux contained detailed internal information from the compromised environment, and encrypted files used file extensions customized to use the name of the victim company. 

Regarding details of the payment system behind the ransomware, ReversingLabs said GwisinLocker.Linux victims are required to log into a portal operated by the group and establish private communications channels for completing ransom payments. 

“As a result, little is known about the payment method used and/or cryptocurrency wallets associated with the group.”

Because of familiarity with the Korean language as well as with the South Korean government and law enforcement forces, ReversingLabs said Gwisin may be a North Korean-linked advanced persistent threat (APT) group. 

“This threat should be of particular concern to industrial and pharmaceutical companies in South Korea, which account for the bulk of Gwisin’s victims to date,” ReversingLabs explained.

“However, it is reasonable to assume that this threat actor may expand its campaigns to organizations in other sectors, or even outside of South Korea.”

The security researchers concluded the advisory by warning firms concerned with GwisinLocker to review the Indicators of Compromise in the report and make them available to internal or external threat hunting teams.

This article was originally published by Infosecurity-magazine.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

Report Suggests 93% of Breaches Lead to Downtime and Data Loss
Ex-Security Engineer Jailed 3 Years for $12.3 Million Crypto Exchange Thefts
BlackTech Targets Tech, Research, and Gov Sectors New ‘Deuterbear’ Tool
Intel and Lenovo BMCs Contain Unpatched Lighttpd Server Flaw
OfflRouter Malware Evades Detection in Ukraine for Almost a Decade

Leave a Reply

Your email address will not be published. Required fields are marked *