AhnLab reports that Gwisin ransomware was increasingly targeting Korean companies with company-specific deployments rather than broad opportunistic infection. The malware is delivered as an MSI containing a DLL that requires a special execution argument, making sandbox execution and static sample testing less likely to trigger ransomware behavior. Once the argument check succeeds, Gwisin decrypts shellcode, injects into legitimate Windows processes such as certreq.exe, and can install itself for safe-mode encryption using bcdedit and a service. The ransomware changes encrypted file extensions to the targeted company name and drops ransom notes listing stolen information and contact details, while the report emphasizes that anti-malware products may be neutralized before infection and that victims must investigate the original intrusion path.