AhnLab reports increasing Gwisin ransomware incidents against domestic Korean companies, with payloads customized for specific victim organizations rather than broadly distributed. Gwisin is delivered as an MSI installer but requires specific execution parameters that act as key material for the embedded DLL, making simple sandbox execution less likely to expose encryption behavior. After parameter validation, the malware decrypts shellcode, injects into legitimate Windows processes such as certreq.exe, and runs the ransomware in memory. The ransomware can also configure safe-mode execution through service registration and bcdedit, and ransom notes include victim-specific extension strings and lists of allegedly stolen corporate data. AhnLab notes that infections appear to follow prior internal compromise and lateral deployment, so incident response must investigate the initial access and propagation path to prevent repeat attacks.