AL2022_48 GwisinLocker ransomware encrypts ESXi servers running Windows and Linux. (10th August 2022)

Description  

GwisinLocker is a new ransomware family that can infect both Windows and Linux systems. GwisinLocker was written by a relatively unknown threat actor named Gwisin (meaning ghost or spirit in Korean). 

Summary  

The GwisinLocker ransomware is one of the most recent types of ransomwares to target South Korean companies in the manufacturing and pharmaceutical industries. Linux victims must log into a portal run by the group and establish private communication channels in order to complete ransom payments, and as a result, little is known about the group's payment method and/or cryptocurrency wallets. 

When GwisinLocker infects a Windows device, the infection starts with the execution of an MSI installer file, which requires a special command line arguments to properly load the embedded DLL that acts as the ransomware encryptor. When the proper command-line arguments are supplied, the MSI will decrypt and inject its internal DLL (ransomware) into a Windows process to avoid detection by antivirus software, which varies by company. 

The configuration may include an argument that instructs the ransomware to run in safe mode. In such cases, it copies itself to a ProgramData subfolder, registers as a service, and then forces a safe mode reboot. The encryptor in the Linux version examined is heavily focused on encrypting VMware ESXi virtual machines, with two command-line arguments controlling how the Linux encryptor will encrypt virtual machines. 

How it works  

TGwisinLocker encrypts files with the.mcrgnx extension. The key for the file is stored in a separate 256-byte file with the same extension. It encrypts files with AES to conceal the key and prevent easy decryption. It generates a unique key for each file by combining AES symmetric-key encryption with SHA256 hashing. Compromise endpoints are renamed GWISIN Ghost, according to reports. 

Indicators of Compromise:   

The hashes and strings below correspond to files linked to active GwisinLocker Linux variants and attacks: 

  • /tmp/.66486f04-bf24-4f5e-ae16-0af0fdb3d8fe – Mutex  

  • !!!_HOW_TO_UNLOCK_MCRGNX_FILES_!!!.TXT - Ransom Note  

  • ce6036db4fee35138709f14f5cc118abf53db112 – GwisinLocker Ransomware (32-bit ELF)  

  • /e85b47fdb409d4b3f7097b946205523930e0c4ab – GwisinLocker Ransomware (64-bit ELF)  

Remediation  

It is advised to turn off virtual environments when they are not in use. It is also advised to disable VMware shared folders with the host machine, virtual and host environment clipboard sharing, and remote SSH logins. 

Backups of sensitive information are also recommended and finally, internal threat hunting teams should scan corporate networks on a regular basis for IOCs contained in this alert, ensuring that no Gwisin actor is hiding a presence within private networks. 

The Guyana National CIRT recommends that users and administrators review this alert and make changes where necessary. 

PDF Download: GwisinLocker ransomware.pdf

References