GwisinLocker ransomware encrypts ESXi servers running Windows and Linux. (10th August 2022)

Ref# AL2022_48 | Date: Aug 10th 2022


GwisinLocker is a new ransomware family that can infect both Windows and Linux systems. GwisinLocker was written by a relatively unknown threat actor named Gwisin (meaning ghost or spirit in Korean). 


The GwisinLocker ransomware is one of the most recent types of ransomwares to target South Korean companies in the manufacturing and pharmaceutical industries. Linux victims must log into a portal run by the group and establish private communication channels in order to complete ransom payments, and as a result, little is known about the group”s payment method and/or cryptocurrency wallets. 

When GwisinLocker infects a Windows device, the infection starts with the execution of an MSI installer file, which requires a special command line arguments to properly load the embedded DLL that acts as the ransomware encryptor. When the proper command-line arguments are supplied, the MSI will decrypt and inject its internal DLL (ransomware) into a Windows process to avoid detection by antivirus software, which varies by company. 

The configuration may include an argument that instructs the ransomware to run in safe mode. In such cases, it copies itself to a ProgramData subfolder, registers as a service, and then forces a safe mode reboot. The encryptor in the Linux version examined is heavily focused on encrypting VMware ESXi virtual machines, with two command-line arguments controlling how the Linux encryptor will encrypt virtual machines. 

How it works  

TGwisinLocker encrypts files with the.mcrgnx extension. The key for the file is stored in a separate 256-byte file with the same extension. It encrypts files with AES to conceal the key and prevent easy decryption. It generates a unique key for each file by combining AES symmetric-key encryption with SHA256 hashing. Compromise endpoints are renamed GWISIN Ghost, according to reports. 

Indicators of Compromise:   

The hashes and strings below correspond to files linked to active GwisinLocker Linux variants and attacks: 

  • /tmp/.66486f04-bf24-4f5e-ae16-0af0fdb3d8fe Mutex  

  • !!!_HOW_TO_UNLOCK_MCRGNX_FILES_!!!.TXT – Ransom Note  

  • ce6036db4fee35138709f14f5cc118abf53db112 GwisinLocker Ransomware (32-bit ELF)  

  • /e85b47fdb409d4b3f7097b946205523930e0c4ab GwisinLocker Ransomware (64-bit ELF)  


It is advised to turn off virtual environments when they are not in use. It is also advised to disable VMware shared folders with the host machine, virtual and host environment clipboard sharing, and remote SSH logins. 

Backups of sensitive information are also recommended and finally, internal threat hunting teams should scan corporate networks on a regular basis for IOCs contained in this alert, ensuring that no Gwisin actor is hiding a presence within private networks. 

The Guyana National CIRT recommends that users and administrators review this alert and make changes where necessary. 

PDF Download: GwisinLocker ransomware.pdf