CyberOne analyzed the Linux version of Gwisin ransomware, a ransomware family reported to target Korean companies and to include victim-specific ransom notes warning against reporting to KISA. The sample stores RC4-encrypted JSON configuration that defines excluded directories, services to terminate, ransom-note names, priority encryption paths, and targeted data locations such as database, web, Docker, and enterprise application directories. Command-line options can shut down ESXi VMs, terminate services, delay execution, encrypt selected paths, include normally excluded ESXi-related files, create marker files, or self-delete after encryption. The malware creates and locks a hardcoded file under /tmp to prevent duplicate execution, changes encrypted file extensions to a victim-specific value, and leaves ransom notes in encrypted directories.