South Korean public sector organisations targeted by Gwisin ransomware – IT PRO

View all Business
View all Cloud
View all Hardware
View all Infrastructure
View all Security
View all Software
View all Technology
Getty Images
A strain of ransomware that targets public sector organisations in the healthcare, pharmaceutical and industrial sectors across South Korea has been discovered by researchers.
AhnLab Security Emergency Response Center (ASEC) classified the variant, named ‘Gwisin’ after the South Korean word for a type of ghost, in a blog post. It has already been linked to prominent ransomware attacks against pharmaceutical companies on recent public holidays.
Unlike some strains of malware, Gwisin is being manually sent to targets by its threat actors. As a result of the clear strategy through which targets are being chosen, researchers have been unable as yet to establish a standardised attack methodology for this ransomware.
The specialised nature of each attack suggests that the threat actors may use a different vector for each victim, tailoring the method to best suit their respective systems. This makes it a difficult strain to protect against, and threat actor motivation is difficult to predict.
It is known that Gwisin is distributed in the form of a Microsoft Software Installer (MSI) file, which is then used to hijack the dynamic link library (DLL) for encryption purposes. This is a process common among ransomware and can be mitigated.
Increasing the difficulty for researchers, however, is the fact that Gwisin’s MSI file will not execute unless given a specific value by its threat actors. As a result, it has been hard to replicate its effects in a lab environment, and systems administrators might not be able to pinpoint the malicious file until after it has been activated.
Ahnlab was able to identify that before the infection process, the anti-malware tools used by the affected organisations were deactivated. Gwisin is also capable of performing a forced reboot of infected systems to allow operation in safe mode.
After files have been encrypted, Gwisin changes their respective file extensions to that of the company targeted. As with most ransomware attacks, after files have been encrypted a note file is created, containing ransom demands. Within this, the files and contacts that have been stolen are listed.
The unknown attack vectors, and apparent tailoring of strategy from victim to victim, make mitigation against Gwisin difficult. All public sector organisations in South Korea should be on notice as to the dangerous nature of this ransomware, and ensure that security best practice is observed throughout corporate networks.
Another variant of the ransomware which runs on Linux has been identified by researchers at security vendor ReversingLabs. Dubbed GwisinLocker, it employs advanced encryption standard (AES) encryption to hash files. It was also deployed at similar times to its Windows variant (mornings or public holidays) to capitalise on periods with reduced staff.
“This threat should be of particular concern to industrial and pharmaceutical companies in South Korea, which account for the bulk of Gwisin’s victims to date,” read the blog post.
“However, it is reasonable to assume that this threat actor may expand its campaigns to organizations in other sectors, or even outside of South Korea.”
The state of Salesforce: Future of business
Three articles that look forward into the changing state of Salesforce and the future of business
The mighty struggle to migrate SAP to the cloud may be over
A simplified and unified approach to delivering Enterprise Transformation in the cloud
The business value of the transformative mainframe
Modernising on the mainframe
The Total Economic Impact™ Of IBM FlashSystem
Cost savings and business benefits enabled by FlashSystem
Why convenience is the biggest threat to your security
How to boot Windows 11 in Safe Mode
Microsoft successfully tests emission-free hydrogen fuel cell system for data centres
ITPro is part of Future plc, an international media group and leading digital publisher. Visit our corporate site www.futureplc.com
© Future Publishing Limited, Quay House, The Ambury, Bath BA1 1UA. All rights reserved. England and Wales company registration number 2008885

source