September 22, 2023

Security researchers discovered a new ransomware family dubbed GwisinLocker targeting Linux-based systems in South Korea.

This campaign targets firms in the industrial and pharmaceutical space. GwisinLocker is a new malware variant created by a previously little-known threat actor called “Gwisin”.


While communicating with victims, the group claims to have deep knowledge of their network and claim that they exfiltrated data.

Ransom notes of GwisinLocker.Linux contained detailed internal information from the compromised environment, and encrypted files used file extensions customized to use the name of the victim company.

To pay the ransom, victims are required to log into a portal operated by the group and establish private communications channels for completing ransom payments.

Gwisin may be a North Korean-linked APT group. Since they well versed in local korean language. This threat actor may expand its campaigns to organizations in other sectors, or even outside of South Korea.


This research was conducted and documented by researchers from Reversing Labs

Indicators of Compromise

  • ce6036db4fee35138709f14f5cc118abf53db112
  • e85b47fdb409d4b3f7097b946205523930e0c4ab

Leave a Reply

%d bloggers like this: