GwisinLocker.Linux is a Linux-based ransomware variant linked to the Gwisin threat actor, targeting South Korean industrial and pharmaceutical firms. It encrypts files using per-file AES keys (with RSA-wrapped keys), stores keys in .mcrgnx0 files, appends .mcrgnx to encrypted files, and actively disrupts virtualization environments while exfiltrating data for double extortion. #Gwisin #GwisinLocker #GwisinLockerLinux #SouthKoreanPharma #VMwareESXi
Keypoints
- GwisinLocker.Linux is a newly identified Linux ransomware variant attributed to the Gwisin actor, targeting South Korean industrial and pharmaceutical firms.
- The malware encrypts files with AES (per-file keys) and wraps the AES keys with RSA, storing the encrypted key in a .mcrgnx0 file and renaming the target to .mcrgnx.
- The configuration data is embedded in the malware and decrypted at runtime; the config is RC4-encrypted and contains lists of excluded and targeted files/directories.
- Before encryption, GwisinLocker may kill certain VM/services to close file handles (and can shut down ESXi VMs via esxcli commands).
- Targets include specific Linux directories and key operational data locations to minimize OS instability and preserve access, with ransom notes in English that reference Hangul and direct victims to Tor/onion sites.
- GwisinLocker pursues double extortion by exfiltrating data prior to or during encryption and threatening to leak or sell stolen data.
- The campaign appears focused on prominent South Korean firms and carries indicators suggesting possible links to North Korea-based threat activity.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – The ransomware is run with command-line options such as -p, –vp=<str> and -m, –vm=<int> to configure behavior. ‘Usage: Usage’ and the options are shown: ‘Usage: Usage … -p, –vp= Comma-separated list of paths to encrypt’.
- [T1486] Data Encrypted for Impact – Files are encrypted and renamed to [targetfile].mcrgnx, with the AES key encrypted and stored in [targetfile].mcrgnx0. ‘Files encrypted in this GwisinLocker campaign carry the extension .mcrgnx’ and ‘Encrypt and store the AES key in the file … .mcrgnx0’.
- [T1562.001] Impair Defenses – The malware kills specified services/processes before encryption (e.g., apache, httpd, nginx, mysql, docker) to ensure open file handles are closed: ‘The following services and related processes are killed before encryption (if the –vm=2 option is set)’.
- [T1041] Exfiltration – Gwisin actors claim to have exfiltrated data to extort the victim: ‘We have deep knowledge… exfiltrated data with which to extort the company.’
- [T1027] Obfuscated/Compressed Files and Information – The ransomware decrypts its configuration data embedded in the malware, encrypted with a hard-coded RC4 key, effectively obfuscating configuration data.
Indicators of Compromise
- [Mutex] /tmp/.66486f04-bf24-4f5e-ae16-0af0fdb3d8fe – GwisinLocker.Linux mutex used to avoid re-execution
- [File] !!!_HOW_TO_UNLOCK_MCRGNX_FILES_!!!.TXT – Ransom note
- [Hash] ce6036db4fee35138709f14f5cc118abf53db112 – GwisinLocker Ransomware (32-bit ELF)
- [Hash] e85b47fdb409d4b3f7097b946205523930e0c4ab – GwisinLocker Ransomware (64-bit ELF)
- [File] [targetfile].mcrgnx – Encrypted file extension used by the ransomware
- [File] [targetfile].mcrgnx0 – Encrypted AES key file associated with each encrypted file
- [Process] esxcli –formatter=csv –format-param=fields==”DisplayName,WorldID” vm process list; esxcli vm process kill –type=force –world-id=”[ESXi] Shutting down – %s” – Commands related to VMware ESXi handling
- [Domain] gwisin4yznpdtzq424i3la6oqy5evublod4zbhddzuxcnr34kgfokwad.onion – Ransom site referenced in notes
- [URL] http://gwisin:fa5d9dfc@gwisin4yznpdtzq424i3la6oqy5evublod4zbhddzuxcnr34kgfokwad.onion – Tor-based payment/retrieval site
- [Path] /Information/Database/, /Information/korea_data/, /Information/, /Infra/, /var/log/ – Targeted directories