Ransomware Attacks Demanding Payments Confirmed Against South Korean SMEs | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Police Issue First Official Security Advisory Through Interagency Collaboration
Attackers Target IT Maintenance Firms, Then Reinfect Client Companies

A new type of ransomware attack demanding payments has been identified, targeting small and medium-sized enterprises (SMEs) in South Korea.

The National Police Agency, the Ministry of SMEs and Startups, and the Korea Internet & Security Agency (KISA) released threat intelligence on ransomware attacks on April 16, 2026. It was found that attackers are distributing two types of ransomware: ‘Midnight’ and ‘Endpoint’. These ransomware programs are characterized by first compromising IT system integration and maintenance companies, and then using their access to infect client companies.

According to the police, the attackers send malicious emails disguised as requests for quotations, job applications, or consulting inquiries to IT integration or maintenance companies to infiltrate their internal systems. If the victim executes the attached file, remote control malware is installed, resulting in the leakage of internal and account information. Subsequently, the attacker uses the stolen information to send additional malicious emails impersonating the compromised IT company to client companies. Through this, the attacker gains access to the client company’s internal systems and then distributes ransomware.

This ransomware is particularly notable for not only encrypting files, but also stealing internal data in advance and demanding payment—a so-called “double extortion” attack. This strategy is assessed as increasing the negotiation pressure on victim companies by threatening to leak the stolen data externally.

To date, most of the affected companies have been identified as small manufacturing businesses. However, cases have also been confirmed in the distribution, energy, and public sectors, so the police have advised that all industries should exercise special caution.

This joint response marks the first time the National Police Agency has issued an official security advisory based on interagency cooperation. The move reflects the growing need for a proactive and preventive approach amid the rising incidence of large-scale hacking and cybercrimes targeting information and communications networks. The police have identified high-risk sectors and major threat factors, and have established a joint response system with the Ministry of SMEs and Startups and other relevant agencies to prevent further crime.

The National Police Agency and KISA have prepared and distributed a security advisory to relevant institutions and companies, outlining attack techniques, types of malicious emails, and measures for crime prevention and response. In the event of suspected ransomware infection, they urge not to contact the attacker directly, but to promptly report the incident to the police or KISA for immediate assistance.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.