[MART] - Daily Diary #569 - GwisinLocker Targets South Korean Organizations

ctas-mat at appgate.com ctas-mat at appgate.com
Mon Aug 8 22:01:08 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

08/08/2022 - Diary entry #569:

Recently, a new Ransomware family was found targeting South Korean organizations from the healthcare, industrial, and pharmaceutical sectors. Named GwisinLocker, it encrypts both Windows and Linux ESXi servers and drops a ransom note to contact the threat actors.

Distributed via MSI files (Microsoft Installer format), it requires a command-line argument to run the MSI file and load an internal DLL. Next, it decrypts and injects a shellcode into a legitimate Windows system process (different for each infected victim).

To encrypt the files, GwisinLocker uses a combination of RSA+AES with SHA256, generating a unique key for each file. The dropped ransom note is a text file written in English that contains contact information (a URL hosted on the dark web) and a list of the stolen data.

GwisinLocker follows the trend to target different Operating Systems, including virtualized ESXi servers. Although the group is only targeting South Korean entities, organizations worldwide should take into account GwisinLocker’s TTPs, by performing red team assessments and securing their perimeter.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220808/70b474d8/attachment.htm>

More information about the MART mailing list