Security researchers discovered a new ransomware family dubbed GwisinLocker targeting Linux-based systems in South Korea.
This campaign targets firms in the industrial and pharmaceutical space. GwisinLocker is a new malware variant created by a previously little-known threat actor called “Gwisin”.
While communicating with victims, the group claims to have deep knowledge of their network and claim that they exfiltrated data.
Ransom notes of GwisinLocker.Linux contained detailed internal information from the compromised environment, and encrypted files used file extensions customized to use the name of the victim company.
To pay the ransom, victims are required to log into a portal operated by the group and establish private communications channels for completing ransom payments.
Gwisin may be a North Korean-linked APT group. Since they well versed in local korean language. This threat actor may expand its campaigns to organizations in other sectors, or even outside of South Korea.
This research was conducted and documented by researchers from Reversing Labs
Indicators of Compromise