Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

New GwisinLocker ransomware encrypts Windows and Linux ESXi servers

A new ransomware family called ‘GwisinLocker’ targets South Korean healthcare, industrial, and pharmaceutical companies with Windows and Linux encryptors, including support for encrypting VMware ESXi servers and virtual machines.

The new malware is the product of a lesser-known threat actor dubbed Gwisin, which means “ghost” in Korean. The actor is of unknown origin but appears to have a good knowledge of the Korean language.

Also, the attacks coincided with Korean public holidays and occurred during early morning hours, so Gwisin has a good grasp of the country’s culture and business routines.

Reports about Gwisin and its activities first appeared on South Korean media outlets late last month, when the threat actor compromised large pharmaceutical firms in the country.

On Wednesday, Korean cybersecurity experts at Ahnlab published a report on the Windows encryptor, and yesterday, security researchers at ReversingLabs published their technical analysis of the Linux version.

Targeting Windows and Linux servers

When GwisinLocker encrypts Windows devices, the infection begins with the execution of an MSI installer file, which requires special command line arguments to properly load the embedded DLL that acts as the ransomware encryptor.

Requiring command-line arguments makes it harder for security researchers to analyze the ransomware.

When the proper command-line arguments are provided, the MSI will decrypt and inject its internal DLL (ransomware) into a Windows process to evade AV detection, which is different for each company.

The configuration sometimes includes an argument that sets the ransomware to operate in safe mode. In those cases, it copies itself to a ProgramData subfolder, registers as a service, and then forces a reboot in safe mode.

For the Linux version analyzed by ReversingLabs, the encryptor focuses strongly on encrypting VMware ESXi virtual machines, including two command-line arguments that control how the Linux encryptor will encrypt virtual machines.

The command-line arguments for the GwisinLocker Linxu encryptor are listed below:

Usage: Usage
-h, --help    show this help message and exit
Options
-p, --vp= Comma-separated list of paths to encrypt
-m, --vm= Kills VM processes if 1; Stops services and processes if 2
-s, --vs= Seconds to sleep before execution
-z, --sf= Skip encrypting ESXi-related files (those excluded in the configuration)
-d, --sd= Self-delete after completion
-y, --pd= Writes the specified text to a file of the same name
-t, --tb= Enters loop if Unix time is 

These arguments include the --vm flag, which will execute the following commands to enumerate ESXi virtual machines and shut them down.

esxcli --formatter=csv --format-param=fields=="DisplayName,WorldID" vm process list

esxcli vm process kill --type=force --world-id="[ESXi] Shutting down - %s"

To avoid rendering the Linux server unusable, GwisinLocker will exclude the following directories from encryption.

Processes excluded from encryption
Processes excluded from encryption (ReversingLabs)

Unless the --sf command-line argument is used, the Linux ransomware will also exclude specific VMware ESXi related files (state.tgz, useropts.gz, jumpstrt.gz, etc) to prevent the server from becoming unbootable.

Finally, the ransomware terminates several Linux daemons before initiating encryption to make their data available for the locking process.

Services killed before encryption
Services killed before encryption (ReversingLabs)

When encrypting files, the encryptor uses AES symmetric-key encryption with SHA256 hashing.

Customized for each victim

Regardless of the operating system targeted in the attack, all encryptors are customized to include the company name in the ransom note and to use a unique extension for encrypted file names.

Advertisement. Scroll to continue reading.

For one victim known by BleepingComputer, threat actors heavily customized the ransom note to include the specific data that was stolen during the attack, which we redacted in the note below.

The ransom notes are named ‘!!!_HOW_TO_UNLOCK_[company_name]_FILES_!!!.TXT’ and are written in English, with some warning the victim not to contact the South Korean law enforcement agencies or KISA (Korea Internet and Security Agency).

An example GwisinLocker ransom note
An example GwisinLocker ransom note
Source: BleepingComptuer

Instead, the victims are told to visit an onion address using the Tor browser, log in with the provided credentials, and follow the instructions on paying a ransom and restoring files.

While AhnLab’s and ReversingLabs noted that GwisinLocker primarily targets South Korean industrial and pharmaceutical companies, BleepingComputer is aware of a healthcare clinic that was also targeted.

Source: https://www.bleepingcomputer.com/news/security/new-gwisinlocker-ransomware-encrypts-windows-and-linux-esxi-servers/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The Colorado Department of Higher Education (CDHE) discloses a massive data breach impacting students, past students, and teachers after suffering a ransomware attack in...

Cyber Security

Using a vulnerability in MOVEit Transfer, hackers gained access to 8 to 11 million individuals’ ‘Users Data’ protected health information. Maximus, a US government contracting...

Cyber Security

Security researchers have dissected a recently emerged ransomware strain named ‘Big Head’ that may be spreading through malvertising that promotes fake Windows updates and Microsoft Word...

Business News

The nuclear-powered submarine USS Michigan approaches a naval base in Busan, South Korea, Friday, June 16, 2023. The United States deployed the nuclear-powered submarine...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO