New Ramsay malware can steal sensitive documents from air-gapped networks

Ramsay can infect air-gapped computers, collect Word, PDF, and ZIP files in a hidden folder, and then wait for exfiltration.
Written by Catalin Cimpanu, Contributor
Image: ESET (supplied)

Researchers from cyber-security firm ESET announced today that they discovered a never-before-seen malware framework with advanced capabilities that are rarely seen today.

Named Ramsay, ESET says this malware toolkit appears to have been designed with features to infect air-gapped computers, collect Word and other sensitive documents in a hidden storage container, and then wait for a possible exfiltration opportunity.

The Ramsay discovery is an important one because we rarely see malware that contains the capability to jump the air gap, considered the most strict and effective security protection measure that companies can take to safeguard sensitive data.

What are air-gapped networks

Air-gapped systems are computers or networks that are isolated from the rest of a company's network and cut off from the public internet.

Air-gapped computers/networks are often found on the networks of government agencies and large enterprises, where they usually store top-secret documents or intellectual property.

Getting access to an air-gapped network is often considered the Holy Grail of any security breach, as these systems are often impossible to breach due to the air gap (lack of any connection to nearby devices).

New Ramsay malware can jump the air gap

In a report published today, ESET said it discovered a rare malware strain that appears to have been specifically developed to jump the air gap and reach isolated networks.

ESET said they've been able to track down three different versions of the Ramsay malware, one compiled in September 2019 (Ramsay v1), and two others in early and late March 2020 (Ramsay v2.a and v2.b).

Each version was different and infected victims through different methods, but at its core, the malware's primary role was to scan an infected computer, and gather Word, PDF, and ZIP documents in a hidden storage folder, ready to be exfiltrated at a later date.

Other versions also included a spreader module that appended copies of the Ramsay malware to all PE (portable executable) files found on removable drives and network shares. This is believed to be the mechanism the malware was employing to jump the air gap and reach isolated networks, as users would most likely moved the infected executables between the company's different network layers, and eventually end up on an isolated system.

ESET says that during its research, it was not able to positively identify Ramsay's exfiltration module, or determine how the Ramsay operators retrieved data from air-gapped systems.

However, while this aspect of the attacks remains unknown, real-world have apparently taken place.

"We initially found an instance of Ramsay in VirusTotal," said ESET researcher Ignacio Sanmillan. "That sample was uploaded from Japan and led us to the discovery of further components and versions of the framework."

The researcher has not made a formal attribution as who might be behind Ramsay. However, Sanmillan said that the malware contained a large number of shared artifacts with Retro, a malware strain previously developed by DarkHotel, a hacker group that many believe to operate in the interests of the South Korean government.


Ramsay-Retro code similarities

Image: ESET

The world's most famous and dangerous APT (state-developed) malware

Editorial standards