Threat Watch

Ramsay Malware Stealing Sensitive Documents From Air-gapped Networks

The cyber-security firm ESET released information on a newly discovered malware threat that can steal files from even the highest security networks. Dubbed Ramsay, the toolkit has been designed to target air-gapped networks, which are used by governments and organizations to process the most sensitive information. Air-gapped computers are machines that are isolated from the rest of the network and do not have access to the Internet, which is why people tend to store sensitive documents on them. In particular, government agencies tend to use air-gapped devices to store top-secret and classified documents. The malware can steal Word and other document files in a hidden storage container then wait for the right time to exfiltrate the documents. The malware is most likely deployed on USB drives or other portable storage that employees use to transfer files between computers that are connected to the Internet and secure computers on the air-gapped network. One sample of Ramsay was disguised in a fake installer for the 7zip software. Other samples were delivered through malicious Rich Text Format (RTF) documents. The capabilities of Ramsay to jump the air-gap are rare—not many types of malware have this ability. Researchers originally found a sample of the malware through VirusTotal that was uploaded from Japan which then led researchers to find further components and versions of the framework. ESET stated that this malware is still in the developmental stage and they have not been able to identify the document exfiltration capability within it. No formal attribution has been linked to this newly discovered malware, but researchers did state that there are a large number of similarities to Retro, a malware that has been linked to DarkHotel, a group operating in South Korea.


The authors behind Ramsay are still making changes and improvements to the malware, which will make it difficult for defenders to identify it with anti-virus products that rely on pattern matching. It is important that anyone who uses air-gapped networks to protect sensitive data to realize that there are malware types that can infect those devices, and they are not completely secure. Putting a strategy in place which identifies attacker behaviors to detect intrusions such as the Binary Defense MDR service is a great step in better-protecting devices on the network as a whole. The malware’s persistence and spreading mechanisms are two examples of behavior that can be detected through endpoint monitoring and analysis. One of the vulnerabilities that the malicious RTF files used to install Ramsay (CVE-2017-11882) exists in older versions of Microsoft Office, indicating that the threat actors behind the malware know that the organizations they target are using outdated software on their air-gapped networks. Keeping software up-to-date and patched is critically important, even for systems that don’t connect to the Internet. In the coming months, it is likely that more information will be released on Ramsay as new versions are found and analyzed.

More can be read at:
Host-based Indicators of Compromise can be found at: