GwisinLocker A New Ransomware Encrypts Windows and Linux ESXi Servers

A new ransomware family has been discovered by ReversingLabs’ cybersecurity analysts, which targets specifically Linux-based systems using a range of encryption methods. GwisinLocker is the malware responsible for the attack.

The GwisinLocker ransomware is one of the latest types of ransomware targeting South Korean companies in industries and pharmaceuticals.

In addition to being an entirely new malware variant, it is notable for the fact that it was produced by a threat actor that had been little known previously.

It is specially designed to target systems that are running the open-source Linux OS, and not only that even it also supports encrypting VMware ESXi servers and VMs. As a result of a significant network compromise, ransomware has been deployed and data has been compromised and exfiltrated.

By using this parameter, the Linux virtual machine encryption tool is able to control the way virtual machines are encrypted.

Ransom Note

Each encryptor is customized for every single OS targeted in the attack, regardless of which ones are targeted in the attack. As a result of their customization, they meet the following requirements:-

In the ransom note, the name of the company is included.

The names of encrypted files are always preceded by a unique extension.

As part of the ransom note, you will find the following type of names:-

• ‘!!!_HOW_TO_UNLOCK_[company_name]_FILES_!!!.TXT’

The ransom notes clearly warn that South Korean law enforcement agencies and KISA should not be contacted by victims, and the ransom notes were written in English.

In order to restore files, victims were instructed that they must use the Tor browser to access an onion address provided by the operators, login, and pay the ransom.

You can follow us on Linkedin,