gwisin

ransomware group

Gwisin is a targeted ransomware group first publicly reported in July 2022, believed to operate primarily within South Korea. The group’s name means “ghost” in Korean, reflecting its stealthy approach. Gwisin has been observed conducting attacks on critical sectors, including healthcare, pharmaceutical, and manufacturing industries. It uses custom-built payloads tailored for each victim, capable of encrypting both Windows and Linux/VMware ESXi environments, and often executes attacks during national holidays to maximize operational disruption. Gwisin employs a double-extortion model—exfiltrating sensitive data before encryption—and communicates with victims in Korean-language ransom notes. Initial access vectors are not fully confirmed in open-source reporting, but suspected methods include exploiting vulnerable VPN appliances and leveraging stolen administrative credentials. The group is known for extensive pre-encryption reconnaissance to identify high-value systems and backups.