ReversingLabs researchers found out a new ransomware family focusing on Linux-based mostly programs in South Korea.
Dubbed GwisinLocker, the malware was detected by ReversingLabs on July 19 when undertaking successful strategies focusing on companies in the industrial and pharmaceutical space.
“In people incidents, it normally launched assaults on general public vacations and throughout the early morning hrs (Korean time) – looking to just take benefit of intervals in which staffing and monitoring in goal environments were peaceful,” ReversingLabs wrote in an advisory revealed on Thursday.
In the doc, the company claimed GwisinLocker is a new malware variant made by a previously small-regarded risk actor (TA) known as “Gwisin” (a Korean term for ‘ghost’ or ‘spirit’).
“In communications with its victims, the Gwisin group claims to have deep knowledge of their network and assert that they exfiltrated knowledge with which to extort the company,” ReversingLabs stated.
On top of that, ransom notes connected with GwisinLocker.Linux contained detailed internal information and facts from the compromised setting, and encrypted documents applied file extensions custom-made to use the name of the target business.
Concerning particulars of the payment procedure powering the ransomware, ReversingLabs stated GwisinLocker.Linux victims are essential to log into a portal operated by the group and set up personal communications channels for completing ransom payments.
“As a final result, small is acknowledged about the payment method utilized and/or cryptocurrency wallets associated with the group.”
For the reason that of familiarity with the Korean language as properly as with the South Korean authorities and regulation enforcement forces, ReversingLabs stated Gwisin might be a North Korean-linked advanced persistent risk (APT) group.
“This threat really should be of unique concern to industrial and pharmaceutical companies in South Korea, which account for the bulk of Gwisin’s victims to day,” ReversingLabs defined.
“However, it is reasonable to believe that this menace actor may possibly increase its campaigns to businesses in other sectors, or even outdoors of South Korea.”
The security researchers concluded the advisory by warning companies anxious with GwisinLocker to overview the Indicators of Compromise in the report and make them accessible to internal or external danger hunting teams.
Some parts of this article are sourced from: