IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

South Korean public sector organisations targeted by Gwisin ransomware

Threat actors tailored attacks on victims such as pharmaceutical companies, with researchers still in the dark on key details

A strain of ransomware that targets public sector organisations in the healthcare, pharmaceutical and industrial sectors across South Korea has been discovered by researchers.

AhnLab Security Emergency Response Center (ASEC) classified the variant, named ‘Gwisin’ after the South Korean word for a type of ghost, in a blog post. It has already been linked to prominent ransomware attacks against pharmaceutical companies on recent public holidays.

Unlike some strains of malware, Gwisin is being manually sent to targets by its threat actors. As a result of the clear strategy through which targets are being chosen, researchers have been unable as yet to establish a standardised attack methodology for this ransomware.

The specialised nature of each attack suggests that the threat actors may use a different vector for each victim, tailoring the method to best suit their respective systems. This makes it a difficult strain to protect against, and threat actor motivation is difficult to predict.

It is known that Gwisin is distributed in the form of a Microsoft Software Installer (MSI) file, which is then used to hijack the dynamic link library (DLL) for encryption purposes. This is a process common among ransomware and can be mitigated.

Increasing the difficulty for researchers, however, is the fact that Gwisin’s MSI file will not execute unless given a specific value by its threat actors. As a result, it has been hard to replicate its effects in a lab environment, and systems administrators might not be able to pinpoint the malicious file until after it has been activated.

Ahnlab was able to identify that before the infection process, the anti-malware tools used by the affected organisations were deactivated. Gwisin is also capable of performing a forced reboot of infected systems to allow operation in safe mode.

After files have been encrypted, Gwisin changes their respective file extensions to that of the company targeted. As with most ransomware attacks, after files have been encrypted a note file is created, containing ransom demands. Within this, the files and contacts that have been stolen are listed.

The unknown attack vectors, and apparent tailoring of strategy from victim to victim, make mitigation against Gwisin difficult. All public sector organisations in South Korea should be on notice as to the dangerous nature of this ransomware, and ensure that security best practice is observed throughout corporate networks.

Another variant of the ransomware which runs on Linux has been identified by researchers at security vendor ReversingLabs. Dubbed GwisinLocker, it employs advanced encryption standard (AES) encryption to hash files. It was also deployed at similar times to its Windows variant (mornings or public holidays) to capitalise on periods with reduced staff.

“This threat should be of particular concern to industrial and pharmaceutical companies in South Korea, which account for the bulk of Gwisin’s victims to date,” read the blog post.

“However, it is reasonable to assume that this threat actor may expand its campaigns to organizations in other sectors, or even outside of South Korea.”

Featured Resources

Big data for finance

How to leverage big data analytics and AI in the finance sector

Free Download

Ten critical factors for cloud analytics success

Cloud-native, intelligent, and automated data management strategies to accelerate time to value and ROI

Free Download

Remove barriers and reconnect with your customers

The $260 billion dollar friction problem businesses don't know they have

Free Download

The future of work is already here. Now’s the time to secure it.

Robust security to protect and enable your business

Free Download

Recommended

US lawmakers warn Apple against using Chinese chips in next iPhone
components

US lawmakers warn Apple against using Chinese chips in next iPhone

23 Sep 2022
Australian telco Optus confirms cyber attack involving potential leak of sensitive customer data
cyber attacks

Australian telco Optus confirms cyber attack involving potential leak of sensitive customer data

22 Sep 2022
Philippine senate to probe incessant surge in text scams
phishing

Philippine senate to probe incessant surge in text scams

8 Sep 2022
US blocks CHIPS-funded companies from investing in China
Policy & legislation

US blocks CHIPS-funded companies from investing in China

7 Sep 2022

Most Popular

How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022
What your hybrid workforce needs from their laptops
Advertisement Feature

What your hybrid workforce needs from their laptops

21 Sep 2022
Why collaboration is key to digital transformation
Sponsored

Why collaboration is key to digital transformation

13 Sep 2022