AhnLab describes Gwisin ransomware intrusions in which attackers compromised externally exposed servers and used them as footholds to distribute ransomware inside victim networks. The report says the actors appeared to scan exposed web servers and attempt SQL injection to steal system credentials, then used web shells and Python reverse shells for access. After compromising Linux systems, they installed Nmap for internal scanning, dumped LSASS memory on Windows systems to obtain credentials, and used reverse connections for internal control. For deployment, the attackers installed IIS on a controlled system, placed Windows and Linux ransomware packages under the web root, and distributed them to internal hosts.