Gwisin Ransomware Targeting Korean Companies
Contents
The cases of Gwisin ransomware attacking Korean companies are recently on the rise. It is being distributed to target specific companies. It is similar to Magniber in that it operates in the MSI installer form. Yet unlike Magniber which targets random individuals, Gwisin does not perform malicious behaviors on its own, requiring a special value for the execution argument. The value is used as key information to run the DLL file included in the MSI.
As such, the file alone does not perform ransomware activities on security products of various sandbox environments, making it difficult to detect Gwisin. The ransomware’s internal DLL operates by being injected into a normal Windows process. The process is different for each infected company.
The following shows the characteristics of Gwisin that have been identified so far.
(1) Distributed in an MSI installer file form
(2) Uses the argument value used to run MSI to run internal DLL
(3) Performs …
As such, the file alone does not perform ransomware activities on security products of various sandbox environments, making it difficult to detect Gwisin. The ransomware’s internal DLL operates by being injected into a normal Windows process. The process is different for each infected company.
The following shows the characteristics of Gwisin that have been identified so far.
(1) Distributed in an MSI installer file form
(2) Uses the argument value used to run MSI to run internal DLL
(3) Performs …