The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.


Aug 29, 2022 2:33:33 PM / by PolySwarm Tech Team


Verticals Targeted: pharmaceutical, healthcare, industrial

Executive Summary

Ahnlab recently reported on GwisinLocker, a multi-platform ransomware targeting multiple verticals in South Korea.

Key Takeaways

  • GwisinLocker is a ransomware targeting multiple verticals in South Korea. 
  • GwisinLocker uses AES symmetric-key encryption with SHA256 hashing for encryption.
  • Both Windows and Linux variants of GwisinLocker exist.
What is GwisinLocker?

GwisinLocker is a ransomware used in targeted attacks on multiple verticals in South Korea. It targets both Windows and Linux systems.

Windows Version

Ahnlab provided an analysis of the Windows version of GwisinLocker. The Windows variant was distributed via an MSI installer file form. It uses the argument values used to run MSI to run an internal DLL. It then injects itself into Windows system processes, with the process used differing per victim. The ransom note contents and file extension used on the encrypted files is based on the targeted company’s information, which is inside the DLL. GwisinLocker is capable of encrypting files in Safe Mode. According to Ahnlab, GwisinLocker is difficult to detect, as it does not perform ransomware activities on security products in sandbox environments.

Linux Version

The Linux variant of GwisinLocker, which also targets ESXi, follows most ransomware techniques of being deployed after the victim’s data has been exfiltrated. This variant of GwisinLocker uses AES symmetric-key encryption with SHA256 hashing for encryption. GwisinLocker renames compromised endpoints to GWISIN Ghost.

Ransom Note and Payment

GwisinLocker ransom notes are text files written in English with some Hangul characters and placed in the same folders as encrypted files. The note provides the victim with the threat actor's contact information and a list of stolen data. Victims are instructed to log in to a portal and communicate with the threat actor to complete the ransom payment. The note also instructs victims not to contact South Korean law enforcement or agencies.

Who is Gwisin?

GwisinLocker is associated with the threat actor group known as Gwisin, which has been active since at least 2021. Gwisin means “ghost” or “spirit” in Korean. The group uses double extortion tactics. While the threat actor group’s location is unknown, industry researchers speculate the group may be of North Korean nexus.


PolySwarm has a sample of GwisinLocker.


You can use the following CLI command to search for all GwisinLocker samples in our portal:

$ polyswarm link list -f GwisinLocker

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Ransomware, GwisinLocker, South Korea

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts