New ransomware targeting critical Linux Servers in South Korea


Research carried out by Reversing Labs suggests that a new ransomware is invading government related Linux Systems in South Korea and the malware is mainly targeting industries and pharmaceutical companies.

Cybersecurity researchers from Reversing Labs suggest the ransomware name is GwisinLocker and is probably being developed and distributed by a state funded group of North Korea.

“Gwisin” means Ghost or Spirit in Korea and evidence gathered shows that the malware was being created by a little-known threat actor with the same name.

Like all other ransomware variants, Gwisin is also indulging in double extortion tactics. Like first stealing data from the servers of the victim and then encrypting the entire database until a ransom is paid.

The exact amount that is being demanded is yet to be known. But information is out that the victims of GwisinLocker. Linux victims need to log on to the website of the said ransomware group to either negotiate or pay the ransom. And as the website is only accessible through dark web, Reversing Labs could not authenticate the exact amount being demanded by the hackers.

NOTE 1- All the encrypted PCs hit by Gwisin are termed as Gwisin Ghosts.

NOTE 2- According to 2021 research conducted by Cisco Talos, each month around 13 new ransomware variants are detected. And every month at least one or two groups quit the business. All because of the increased surveillance conducted by the law enforcement agencies on cryptocurrency payments by increasing vigil on the blockchain network.


Naveen Goud is a writer at Cybersecurity Insiders covering topics such as Mergers & Acquisitions, Startups, Cyber Attacks, Cloud Security and Mobile Security

No posts to display