Ramsay Malware
A new malware, called Ramsay, can jump air gaps:
ESET said they’ve been able to track down three different versions of the Ramsay malware, one compiled in September 2019 (Ramsay v1), and two others in early and late March 2020 (Ramsay v2.a and v2.b).
Each version was different and infected victims through different methods, but at its core, the malware’s primary role was to scan an infected computer, and gather Word, PDF, and ZIP documents in a hidden storage folder, ready to be exfiltrated at a later date.
Other versions also included a spreader module that appended copies of the Ramsay malware to all PE (portable executable) files found on removable drives and network shares. This is believed to be the mechanism the malware was employing to jump the air gap and reach isolated networks, as users would most likely moved the infected executables between the company’s different network layers, and eventually end up on an isolated system.
ESET says that during its research, it was not able to positively identify Ramsay’s exfiltration module, or determine how the Ramsay operators retrieved data from air-gapped systems.
Honestly, I can’t think of any threat actor that wants this kind of feature other than governments:
The researcher has not made a formal attribution as who might be behind Ramsay. However, Sanmillan said that the malware contained a large number of shared artifacts with Retro, a malware strain previously developed by DarkHotel, a hacker group that many believe to operate in the interests of the South Korean government.
Seems likely.
Dark_Intel • May 18, 2020 8:58 AM
Ramsey can not steal files from an air-gapped computer.
I am surprised and sad that even you didn’t notice what the researcher did here to be in headlines and how these media sites also didn’t challenge the claim or asked for any evidence.
The researcher said he found a few samples of malware that doesn’t do anything extraordinary except copying files from one folder to another and rewriting/infecting executables in connected share or removable drives and is still under development.
Can you find where the researcher provided evidence that suggests this software is designed for air-gap computers rather than being an incomplete piece of work that suppose to have a C&C module?
“Since it doesn’t want to communicate via the network, it’s for tailored for air-gap networks.”
LOL, with that logic, every malware is designed for air-gap networks; doesn’t matter if they have a way to communicate or not.
Even if there’s a separate technique or USB-based malware that could exfiltrate data from a folder, it’s not part of Ramsey’s codebase and applies as a different attack vector.