A new ransomware family, GwisinLocker, has been observed targeting healthcare, industrial, and pharmaceutical firms in South Korea. 

GwisinLocker’s Korean touch

GwisinLocker is developed by a not-so-popular threat actor named Gwisin and the origin of the threat group is not known.
  • It appears they have good knowledge of the Korean language as they used the Korean (Hangul) script in ransom notes.
  • The attacks were aligned with Korean public holidays and happened during the early morning hours.
  • The group is thought to have a good understanding of Korea’s culture and business routines, as they conducted their attacks on South Korean holidays and during the early morning hours.

Additionally, the recent Gwisin activities were first observed by South Korean media outlets in the last month, when they targeted large pharmaceutical firms in South Korea.

Different approaches for different platforms

The GwisinLocker ransomware has two versions for both Windows and Linux platforms. The Windows version was reported by Ahnlab while the Linux version was disclosed by the researchers from ReversingLabs.
  • In one specific incident, when GwisinLocker encrypted Windows systems, the infection started with the execution of an MSI installer file. The file needed particular command line arguments to load a DLL acting as encryptor.
  • For the Linux version, the encryptor focuses on encrypting ESXi virtual machines. It uses two command-line arguments to control how the Linux encryptor will encrypt the virtual machines.

Custom notes for each victim

Both encryptors are customized to add the victim firm’s name in the ransom note, along with a unique extension for encrypted file names.
  • For one victim, according to a news agency, the ransomware operators heavily customized the ransom note to add specific data that was believed to be stolen during the attack.
  • The ransom notes ('!!!_HOW_TO_UNLOCK_[company_name]_FILES_!!![.]TXT') are written in English and warn victims against contacting the law enforcement agencies or KISA.


The GwisinLocker ransomware is relatively new, yet has already targeted multiple entities in South Korea. With Windows and Linux systems in their range of targets, hackers aim at a larger victim base. Thus, the threat should not be taken lightly and adequate security measures should be taken, such as encrypting important data, deploying proper access control, and staying up-to-date.
Cyware Publisher