{
	"id": "240e44d3-f348-4239-8019-8c154d984361",
	"created_at": "2026-04-06T01:31:02.833458Z",
	"updated_at": "2026-04-10T13:13:01.170466Z",
	"deleted_at": null,
	"sha1_hash": "89bd702fa3a7a8bfc818b67abd547163a08edd5f",
	"title": "Gwisin Ransomware Targeting Korean Companies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1598121,
	"plain_text": "Gwisin Ransomware Targeting Korean Companies\r\nBy ATCP\r\nPublished: 2022-07-26 · Archived: 2026-04-06 01:02:15 UTC\r\nThe cases of Gwisin ransomware attacking Korean companies are recently on the rise. It is being distributed to target\r\nspecific companies. It is similar to Magniber in that it operates in the MSI installer form. Yet unlike Magniber which targets\r\nrandom individuals, Gwisin does not perform malicious behaviors on its own, requiring a special value for the execution\r\nargument. The value is used as key information to run the DLL file included in the MSI.\r\nAs such, the file alone does not perform ransomware activities on security products of various sandbox environments,\r\nmaking it difficult to detect Gwisin. The ransomware’s internal DLL operates by being injected into a normal Windows\r\nprocess. The process is different for each infected company.\r\nThe following shows the characteristics of Gwisin that have been identified so far.\r\n(1) Distributed in an MSI installer file form\r\n(2) Uses the argument value used to run MSI to run internal DLL\r\n(3) Performs ransomware behaviors by being injected into a Windows system process\r\n(4) Contains the information of the infected company inside the DLL (displayed in the ransom note)\r\n(5) Supports a feature to encrypt files in safe mode\r\nWhen the MSI file is run, it calls the export function update() of the internal ransomware DLL. The function checks the\r\nexecution argument. If it is abnormal, the function will not operate.\r\nhttps://asec.ahnlab.com/en/37483\r\nPage 1 of 4\n\nAt the moment of the encryption process, the ransomware is executed with the following arguments (some parts of the\r\narguments are hidden).\r\n\u003e msiexec /qn /i\r\nC:\\ProgramData\\*****.msi SERIAL=463f********7ce7 LICENSE=7f21********5071 SMM=0 ORG=***\r\nAmong arguments that are needed to run Gwisin, SMM can have a value of 0 or 1. Normally, the routine for encrypting files\r\nis processed if the value is 0. If SMM is 1, the ransomware is installed to operate on safe mode. It first copies itself to a\r\ncertain path of ProgramData and is registered as a service. It then uses bcdedit to set the boot option as safe mode. The\r\ncomputer is forcibly rebooted after 5 seconds. After the system is rebooted in safe mode, the registered service starts\r\nencrypting files.\r\nService Name Command\r\na35f23725b5feab2\r\n\u003e msiexec /qn /i\r\nC:\\ProgramData\\*****.msi SERIAL=463f********7ce7 LICENSE=7f21********5071 SMM=0 ORG\r\nRegistered service\r\nWhen the process for verifying the argument ends, the ransomware decrypts the internal shellcode using the arguments. It\r\nthen runs a normal program “certreq.exe” to inject the decrypted shellcode. The injected shellcode ultimately decrypts\r\nGwisin to run it in the memory (besides “certreq.exe”, various normal Window processes are used to run the ransomware).\r\nAfter encrypting files, the ransomware changes the extension name to the name of the targeted company.\r\nThe folder chosen to be encrypted contains a ransom note. The name of the note also contains the extension string such as\r\n“!!!_HOW_TO_UNLOCK_******_FILES_!!!.TXT”. The note file shows a list of stolen information and contacts.\r\nhttps://asec.ahnlab.com/en/37483\r\nPage 2 of 4\n\nThe Gwisin cases show that the anti-malware products are neutralized before the infection process begins. As V3 products\r\nblock Gwisin ransomware using such a method in the injection process through behavior-based detection, it is necessary to\r\nenable the ‘Behavior-based Detection’ option.\r\nBecause the ransomware is installed and executed in various systems after dominating the internal system, companies must\r\nanalyze how the infection happened in the first place. If the cause of the infection cannot be analyzed after a breach had\r\noccurred, another ransomware may infect the system in the future and cause a similar incident.\r\n[File Detection]\r\n– Ransomware/Win.Gwisin.C5214965 (2022.07.27.03)\r\n[Behavior Detection]\r\n– Injection/MDP.Event.M4387 (2022.07.28.00)\r\nhttps://asec.ahnlab.com/en/37483\r\nPage 3 of 4\n\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner\r\nbelow.\r\nSource: https://asec.ahnlab.com/en/37483\r\nhttps://asec.ahnlab.com/en/37483\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/37483"
	],
	"report_names": [
		"37483"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439062,
	"ts_updated_at": 1775826781,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/89bd702fa3a7a8bfc818b67abd547163a08edd5f.pdf",
		"text": "https://archive.orkl.eu/89bd702fa3a7a8bfc818b67abd547163a08edd5f.txt",
		"img": "https://archive.orkl.eu/89bd702fa3a7a8bfc818b67abd547163a08edd5f.jpg"
	}
}