Summary:
A new ransomware family called GwisinLocker targets South Korean healthcare, industrial, and pharmaceutical companies with Windows and Linux encryptors, including support for encrypting VMware ESXi servers and virtual machines. The new malware is the product of a lesser-known threat actor dubbed Gwisin. When GwisinLocker encrypts Windows devices, the infection begins with the execution of an MSI installer file, which requires special command line arguments to properly load the embedded DLL that acts as the ransomware encryptor. Requiring command-line arguments makes it harder for security researchers to analyse the ransomware. When the proper command-line arguments are provided, the MSI will decrypt and inject its internal DLL (ransomware) into a Windows process to evade AV detection, which is different for each company.[/subscribe_to_unlock_form]
Summary:
A new ransomware family called GwisinLocker targets South Korean healthcare, industrial, and pharmaceutical companies with Windows and Linux encryptors, including support for encrypting VMware ESXi servers and virtual machines. The new malware is the product of a lesser-known threat actor dubbed Gwisin. When GwisinLocker encrypts Windows devices, the infection begins with the execution of an MSI installer file, which requires special command line arguments to properly load the embedded DLL that acts as the ransomware encryptor. Requiring command-line arguments makes it harder for security researchers to analyse the ransomware. When the proper command-line arguments are provided, the MSI will decrypt and inject its internal DLL (ransomware) into a Windows process to evade AV detection, which is different for each company.[emaillocker id="1283"]
References:
The following reports contain further technical details:
[/emaillocker]