Security News > 2022 > August > New GwisinLocker ransomware encrypts Windows and Linux ESXi servers
A new ransomware family called 'GwisinLocker' targets South Korean healthcare, industrial, and pharmaceutical companies with Windows and Linux encryptors, including support for encrypting VMware ESXi servers and virtual machines.
On Wednesday, Korean cybersecurity experts at Ahnlab published a report on the Windows encryptor, and yesterday, security researchers at ReversingLabs published their technical analysis of the Linux version.
When GwisinLocker encrypts Windows devices, the infection begins with the execution of an MSI installer file, which requires special command line arguments to properly load the embedded DLL that acts as the ransomware encryptor.
For the Linux version analyzed by ReversingLabs, the encryptor focuses strongly on encrypting VMware ESXi virtual machines, including two command-line arguments that control how the Linux encryptor will encrypt virtual machines.
Unless the -sf command-line argument is used, the Linux ransomware will also exclude specific VMware ESXi related files to prevent the server from becoming unbootable.
Finally, the ransomware terminates several Linux daemons before initiating encryption to make their data available for the locking process.
News URL
Related news
- New VanHelsing ransomware targets Windows, ARM, ESXi systems (source)
- RedCurl cyberspies create ransomware to encrypt Hyper-V servers (source)
- Over 37,000 VMware ESXi servers vulnerable to ongoing attacks (source)
- Like whitebox servers, rent-a-crew crime 'affiliates' have commoditized ransomware (source)
- VanHelsing ransomware emerges to put a stake through your Windows heart (source)
- Recent Windows Server 2025 updates cause Remote Desktop freezes (source)
- Outlaw Group Uses SSH Brute-Force to Deploy Cryptojacking Malware on Linux Servers (source)
- Microsoft: Windows CLFS zero-day exploited by ransomware gang (source)
- Microsoft fixes auth issues on Windows Server, Windows 11 24H2 (source)
- Bad luck, Windows 10 users. No fix yet for ransomware-exploited bug (source)