Gwisin Detection: Threat Actors Spread Gwisin Ransomware Targeting Korean Companies

[post-views]
August 08, 2022 · 4 min read
Gwisin Detection: Threat Actors Spread Gwisin Ransomware Targeting Korean Companies

Gwisin ransomware targeting Korean companies in multiple industries is currently on the increase in the cyber threat arena. Attributed to the Korean-speaking threat actors, Gwisin ransomware is leveraged in targeted attacks at specific organizations rather than random individuals and does not perform malicious behaviors on its own, which makes its detection harder. The ransomware is spread in the MSI installer file format and applies diverse behaviors for spreading infection that differs for each compromised organization. 

Detect Gwisin Ransomware 

The cybersecurity community is continuously facing the challenge caused by escalating high-profile ransomware attacks accelerating not only in terms of volumes and vectors but also in terms of their impact and speed. To help security practitioners proactively detect malicious activity associated with Gwisin ransomware, our keen Threat Bounty developer Onur Atali has released a dedicated Sigma rule.

Possible Gwisin Ransomware Execution by Detection of Associated Commands (via cmdline)

The rule supports translations to 23 SIEM, EDR, and XDR formats and is aligned with the MITRE ATT&CK framework v.10. addressing the Execution and Impact tactics with Command and Scripting Interpreter (T1059), User Execution (T1204), Data Encrypted for Impact (T1486), and Disk Wipe (T1561) as the primary techniques.

Enthusiastic about joining collaborative cyber defense and helping the cybersecurity community withstand the emerging threats? Join SOC Prime’s Threat Bounty Program, submit your own Sigma rules, and get recurrent rewards while contributing to a safer future in cyber!In view of the increasing ransomware menace, Threat Hunter and SOC Analysts require innovative threat detection approaches to timely react to a growing number of security incidents, cut through the noise, and get better visibility into the attack surface. Registered SOC Prime platform users can access the largest pool of detection algorithms to search for various ransomware threats by pressing Detect & Hunt button. Non-registered users can access the ransomware-related rule kit and all the relevant metadata, including MITRE ATT&CK references and CTI links by hitting Explore Threat Context button.

Detect & Hunt Explore Threat Context

Gwisin Ransomware Analysis

According to the SOC Prime’s Detection as Code Innovation Report 2021, ransomware attacks continue to be the growing trend in 2021-2022 with the increasing sophistication of intrusions and a constantly growing number of ransomware operators. Gwisin ransomware attacking Korean companies is currently on the rise, attributed to the adversary activity of the identically named malware operators with a high command of the Korean language. Among the most common characteristics of Gwisin are its ability to perform malicious behavior by being injected into a Windows system process, the ransomware capability of including information about the compromised company within the internal DLL file displayed in the ransom note, and its support for sophisticated functionality to encrypt files in a safe mode. 

Threat actors spreading malware dubbed Gwisin, which means “ghost” in Korean, are also known to spread a novel ransomware family named GwisinLocker targeting prominent South Korean healthcare, industrial, and pharma companies and capable of encrypting Windows and Linux ESXi servers. In these attacks, ransomware applies the MSI installer file format and leverages an argument value to execute the DLL file included in the MSI. The use of command-line arguments makes it harder for cyber defenders to detect and analyze the ransomware samples. 

Apart from ransomware attacks on Windows systems, ReversingLabs researchers also revealed the GwisinLocker malware version targeting Linux-based systems. According to the conducted research, Gwisin ransomware operators attempt to take control of Linux hosts and interact with VMWare ESXI virtual machines while performing double extortion attacks designed to steal organizations’ sensitive data. 

With the increasing volumes of high-profile ransomware attacks, cyber defenders are looking for new ways to proactively defend against the related threats and timely identify the malicious activity. SOC Prime’s Detection as Code platform curates over 200K of unique detection algorithms tailored for 25+ SIEM, EDR, and XDR solutions and matching organization-specific content needs. Ambitious Detection Engineers and Threat Hunters can also enrich the collective cybersecurity expertise with their own detection content by joining SOC Prime’s crowdsourcing initiative and authoring Sigma and YARA rules, sharing them with industry peers, and gaining recurring financial rewards for their contributions.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts