GwisinLocker is a new ransomware family targeting South Korean industrial and pharmaceutical companies. Capable of compromising both Windows and Linux systems, GwisinLocker has been coded by a relatively unknown threat actor, called Gwisin (meaning ghost or spirit in Korean).
Security researchers from ReversingLabs provided an analysis of the Linux version, whereas AhnLab analyzed the Windows version. What have researchers discovered about GwisinLocker so far?
GwisinLocker Ransomware Targeting Both Linux and Windows
In case of Windows targets, the ransomware proceeds by executing an MSI installer file which needs specific command line arguments to load the embedded DLL. The DLL is in fact the ransomware encryptor component. Command-line arguments are most likely deployed because they make analysis harder for cybersecurity researchers.
When targeting Linux, the ransomware primarily targets VMware ESXi virtual machines using two command-line arguments controlling the way the threat encrypts VMs. The common element in the attacks GwisinLocker carries out is that the ransom notes are customized in two ways – to include the targeted company name and to append a unique extension in each infection.
It should be noted that the ransom note is dubbed !!!_HOW_TO_UNLOCK_[company_name]_FILES_!!!.TXT, is written in English, and contains a warning not to contact the South Korean law enforcement agencies or KISA (Korea Internet and Security Agency).
Luna ransomware is another example of a cross-platform ransomware threat coded to target Windows, Linux, and ESXi systems.
Discovered by Kaspersky’s Darknet Threat Intelligence monitoring system, the ransomware is advertised on a darknet ransomware forum. Written in Rust and “fairly simple”, its encryption scheme is rather different involving the use of x25519 and AES, a combination not often encountered in ransomware campaigns.
“Both the Linux and ESXi samples are compiled using the same source code with some minor changes from the Windows version. For example, if the Linux samples are executed without command line arguments, they will not run. Instead, they will display available arguments that can be used,” Kaspersky said.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: