A strain of ransomware that targets public sector organisations in the healthcare, pharmaceutical and industrial sectors across South Korea has been discovered by researchers.
AhnLab Security Emergency Response Center (ASEC) classified the variant, named ‘Gwisin’ after the South Korean word for a type of ghost, in a blog post. It has already been linked to prominent ransomware attacks against pharmaceutical companies on recent public holidays.
Unlike some strains of malware, Gwisin is being manually sent to targets by its threat actors. As a result of the clear strategy through which targets are being chosen, researchers have been unable as yet to establish a standardised attack methodology for this ransomware.
The specialised nature of each attack suggests that the threat actors may use a different vector for each victim, tailoring the method to best suit their respective systems. This makes it a difficult strain to protect against, and threat actor motivation is difficult to predict.
It is known that Gwisin is distributed in the form of a Microsoft Software Installer (MSI) file, which is then used to hijack the dynamic link library (DLL) for encryption purposes. This is a process common among ransomware and can be mitigated.
Increasing the difficulty for researchers, however, is the fact that Gwisin’s MSI file will not execute unless given a specific value by its threat actors. As a result, it has been hard to replicate its effects in a lab environment, and systems administrators might not be able to pinpoint the malicious file until after it has been activated.
Ahnlab was able to identify that before the infection process, the anti-malware tools used by the affected organisations were deactivated. Gwisin is also capable of performing a forced reboot of infected systems to allow operation in safe mode.
After files have been encrypted, Gwisin changes their respective file extensions to that of the company targeted. As with most ransomware attacks, after files have been encrypted a note file is created, containing ransom demands. Within this, the files and contacts that have been stolen are listed.
The unknown attack vectors, and apparent tailoring of strategy from victim to victim, make mitigation against Gwisin difficult. All public sector organisations in South Korea should be on notice as to the dangerous nature of this ransomware, and ensure that security best practice is observed throughout corporate networks.
Another variant of the ransomware which runs on Linux has been identified by researchers at security vendor ReversingLabs. Dubbed GwisinLocker, it employs advanced encryption standard (AES) encryption to hash files. It was also deployed at similar times to its Windows variant (mornings or public holidays) to capitalise on periods with reduced staff.
“This threat should be of particular concern to industrial and pharmaceutical companies in South Korea, which account for the bulk of Gwisin’s victims to date,” read the blog post.
“However, it is reasonable to assume that this threat actor may expand its campaigns to organizations in other sectors, or even outside of South Korea.”
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker groupNews An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabsNews An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operatorsNews A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attackNews A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?News The Scattered Spider group has been highly active in recent years
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the lastNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
