TTPs_8_Operation_GWISIN_-_맞춤형_랜섬웨어_공격_전략_분석.pdf (29 MB)

KISA/KrCERT’s Operation GWISIN report analyzes customized ransomware intrusions against Korean organizations through an ATT&CK-style TTP lens rather than simple IOC lists. The source describes GWISIN operators as showing strong knowledge of victim businesses, Korean security products, domestic investigative bodies, and ISMS-P, with ransom artifacts customized to specific companies. The mapped tradecraft includes public-facing application exploitation, command execution, service execution, safe-mode persistence, Msiexec proxy execution, process injection into certrep.exe, log and artifact removal, credential access against LSASS, SMB/WinRM lateral movement, web-shell or internal-proxy C2, exfiltration, data destruction, service stopping, and recovery inhibition. The report emphasizes that defenders must understand the intrusion path and attacker TTPs to prevent repeated ransomware deployment against similarly prepared targets.