reports that South Korean industrial, pharmaceutical, and healthcare firms leveraging Windows and VMware ESXi servers have been targeted by the novel GwisinLocker ransomware
family in attacks occurring during the early morning hours of Korean public holidays.
Ahnlab researchers discovered that Windows devices are being encrypted with GwisinLocker ransomware through MSI installer file execution. The embedded DLL functioning as the ransomware encryptor would then be loaded after command line arguments are provided, with such arguments enabling the ransomware to bypass detection by antivirus systems.
Meanwhile, a separate report from ReversingLabs showed that VMware ESXi virtual machines have been a primary focus for encryption by GwisinLocker's Linux encryptor. Researchers found that specific commands will be executed by the Linux encryptor's command line arguments to shut down ESXi virtual machines. Various directories have also been excluded from encryption to ensure the usability of the Linux server, according to the report, which also showed the exclusion of specific ESXi-related files to facilitate continued server booting.