From the Labs: YARA Rule for Detecting GwisinLocker

ReversingLabs threat analysts are constantly working to respond to new threats and provide our customers with information and tools to defend their systems from attacks. Written by our threat analysts, our high-quality, open source YARA rules help threat hunters, incident responders, security analysts, and other defenders detect malicious behavior in their environment.

In this series, we break down some of the threats behind our YARA detection rules that can help your organization to detect them within your environment.

GwisinLocker: A Tool for Attacking Critical Infrastructure

Threat actors have been using ransomware to attack critical infrastructure organizations globally for some time. Attacks on critical infrastructure sectors, such as healthcare, finance, transportation and more, not only impact the victim organizations themselves, but also national security and societal stability. The discovery of GwisinLocker, a ransomware family, is just one of the more recent examples of a strain that cybercriminals are using to take advantage of organizations that are vital to a society’s infrastructure.

ReversingLabs researchers discovered GwisinLocker on July 19, 2022 while carrying out a threat hunting operation. It appeared as an undetected Linux ransomware sample with the markers of the Gwisin campaign. (Gwisin is a Korean word that means “ghost” or “spirit.”)

Gwisin Group Targets Industrial, Pharma Firms

The Gwisin ransomware group targeted several South Korean industrial and pharmaceutical companies, both serving critical infrastructure sectors in the country. Gwisin has been around since 2021, but has kept a relatively low profile until its more recent attacks in South Korea.

The Gwisin ransomware group uses the GwisinLocker ransomware to encrypt a victim’s files, while hiding the decryption key to prevent victims from using it to restore their files. Compromised endpoints on the victim’s system are then renamed “GWISIN Ghost.”

Attacks Show Familiarity with South Korean Society

Based on the way Gwisin targeted its victims, it is believed that the group has a strong grasp on South Korean society. The attacks on pharmaceutical companies took place on public holidays and in early morning hours on typical work days. These time frames are also the least monitored and staffed, giving the attacker a more lax environment that they can take advantage of.

Victims of GwisinLocker were given ransom notes after being attacked that included sensitive information taken from their environments. The ransom notes were also written in English, but had references to Korean-specific terms and warned victims of going to South Korean law enforcement agencies about the attack. The file extensions of victims’ encrypted files were also changed to the victim’s company name, making it clear that their files were compromised by cybercriminals.

GwisinLocker Attacker Techniques

As with other ransomware families, GwisinLocker locates and encrypts a victim’s files in order to take control of the environment. It combines AES symmetric-key encryption with SHA256 hashing, generating a unique decryption key for each file. Once a file is encrypted, it is given the “.mcrgnx” extension.

The extension is represented as two stack strings that can be seen in the picture below. The first stack string is 0x72636d2e, and it represents the first part of the extension in the reverse byte order (rcm.). The second stack string is 0x786967, and it represents the second part of the extension (xig). This is a method of obfuscation which serves the purpose of confusing the reverser and making the reversing process slower.

The decryption key is stored in an accompanying file with the extension .mcrgnx0, encrypted with an embedded RSA public key. Note: these extensions are campaign-specific, but Gwisin tactics were consistent across several incidents.

One notable behavior is the shutting down of the VMWare ESXi machines before the encryption. The part of code which implements this behavior can be seen in the picture below.

The usage of stack strings can be seen here as well. The command they obfuscate is:

esxcli vm process kill --type=force --world-id="[ESXi] Shutting down - %s"

Victims are then asked by the Gwisin group to log into a private portal that allows the two parties to communicate with one another, with the purpose of paying a ransom in hopes that the victim’s files will be decrypted. Because the communication channels are private, little is known about how payments are made and what cryptocurrency wallets are attached to the operation.

In finding and analyzing the GwisinLocker sample, ReversingLabs researchers were able to establish a list of Indicators of Compromise (IoCs) and Filesystems that are associated with the ransomware group’s operations.

Detecting GwisinLocker

Even though the Gwisin ransomware group has targeted a select number of victims in South Korea, the group could still target critical infrastructure organizations both inside and outside of the country. This is why it is crucial to detect GwisinLocker infections before these threat actors have a chance to execute the malware.

ReversingLabs’ GwisinLocker YARA rule is designed to detect this ransomware within your environment with high fidelity and almost no false-positives.

Download the GwisinLocker YARA rule from ReversingLabs' GitHub page here:

Linux.Ransomware.GwisinLocker.yara

To learn more about the prerequisites for using ReversingLabs’ YARA rules, consult our Github page.

The Work Doesn’t Stop Here

ReversingLabs’ team of analysts are constantly surveying the threat landscape in an effort to better serve our customers and the greater security community. Don’t hesitate to contact us if you’d like to learn more about how we help organizations combat threats like malicious wipers and ransomware or to schedule a demonstration.