A strain of ransomware that targets public sector organisations in the healthcare, pharmaceutical and industrial sectors across South Korea has been discovered by researchers.
AhnLab Security Emergency Response Center (ASEC) classified the variant, named ‘Gwisin’ after the South Korean word for a type of ghost, in a blog post. It has already been linked to prominent ransomware attacks against pharmaceutical companies on recent public holidays.
Unlike some strains of malware, Gwisin is being manually sent to targets by its threat actors. As a result of the clear strategy through which targets are being chosen, researchers have been unable as yet to establish a standardised attack methodology for this ransomware.
The specialised nature of each attack suggests that the threat actors may use a different vector for each victim, tailoring the method to best suit their respective systems. This makes it a difficult strain to protect against, and threat actor motivation is difficult to predict.
It is known that Gwisin is distributed in the form of a Microsoft Software Installer (MSI) file, which is then used to hijack the dynamic link library (DLL) for encryption purposes. This is a process common among ransomware and can be mitigated.
Increasing the difficulty for researchers, however, is the fact that Gwisin’s MSI file will not execute unless given a specific value by its threat actors. As a result, it has been hard to replicate its effects in a lab environment, and systems administrators might not be able to pinpoint the malicious file until after it has been activated.
Ahnlab was able to identify that before the infection process, the anti-malware tools used by the affected organisations were deactivated. Gwisin is also capable of performing a forced reboot of infected systems to allow operation in safe mode.
After files have been encrypted, Gwisin changes their respective file extensions to that of the company targeted. As with most ransomware attacks, after files have been encrypted a note file is created, containing ransom demands. Within this, the files and contacts that have been stolen are listed.
The unknown attack vectors, and apparent tailoring of strategy from victim to victim, make mitigation against Gwisin difficult. All public sector organisations in South Korea should be on notice as to the dangerous nature of this ransomware, and ensure that security best practice is observed throughout corporate networks.
Another variant of the ransomware which runs on Linux has been identified by researchers at security vendor ReversingLabs. Dubbed GwisinLocker, it employs advanced encryption standard (AES) encryption to hash files. It was also deployed at similar times to its Windows variant (mornings or public holidays) to capitalise on periods with reduced staff.
“This threat should be of particular concern to industrial and pharmaceutical companies in South Korea, which account for the bulk of Gwisin’s victims to date,” read the blog post.
“However, it is reasonable to assume that this threat actor may expand its campaigns to organizations in other sectors, or even outside of South Korea.”
-
The unseen risk in Microsoft 365: disaster recoveryBusinesses that assume they’re covered for data backup could come unstuck in a time of crisis
-
Anthropic CEO Dario Amodei's prediction about AI in software development is nowhere nearly to becoming a realityNews In March, Anthropic CEO Dario Amodei claimed up to 90% of code would be written by AI within six months – his prediction hasn't quite come to fruition.
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million rewardNews The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalitiesNews The attack on IT systems supplier Miljödata has impacted public sector services across the country
-
A notorious hacker group is ramping up cloud-based ransomware attacksNews The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
-
Security researchers have just identified what could be the first ‘AI-powered’ ransomware strain – and it uses OpenAI’s gpt-oss-20b modelNews Using OpenAI's gpt-oss:20b model, ‘PromptLock’ generates malicious Lua scripts via the Ollama API.
-
Data I/O shuts down systems in wake of ransomware attack
News Regulatory filings by Data I/O suggest the costs of dealing with the attack could be significant
-
Average ransom payment doubles in a single quarterNews Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new groupNews The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
