download.doo_fnameEAB780EC8BA0Gwisin20EB9E9CEC84ACEC9BA8EC96B420EA_qC0ETLa.pdf (6 MB)

SK Shieldus analyzes the Gwisin ransomware group as a Korea-focused operation that has targeted domestic medical, pharmaceutical, financial, and other enterprises since 2021, with no confirmed foreign victims at the time of reporting. The report maps the operation to a cyber attack lifecycle: reconnaissance through Shodan/Censys and dark-web credential acquisition, initial compromise via exposed services and stolen accounts, foothold establishment, privilege escalation, internal reconnaissance, SMB/SSH/WinRM/WMI lateral movement, C2-based exfiltration, log clearing, and ransomware deployment. It highlights a relatively short average dwell time of about 21 days from initial intrusion to ransomware infection, suggesting organized and rapid operations. The group uses multi-tier extortion around decryption, leaked-data non-sale, and vulnerability-report promises, so defenders are advised to prepare around persistent TTPs rather than unpublished IoCs.