The cyber-security firm ESET released information on a newly discovered malware threat that can steal files from even the highest security networks. Dubbed Ramsay, the toolkit has been designed to target air-gapped networks, which are used by governments and organizations to process the most sensitive information. Air-gapped computers are machines that are isolated from the rest of the network and do not have access to the Internet, which is why people tend to store sensitive documents on them. In particular, government agencies tend to use air-gapped devices to store top-secret and classified documents. The malware can steal Word and other document files in a hidden storage container then wait for the right time to exfiltrate the documents. The malware is most likely deployed on USB drives or other portable storage that employees use to transfer files between computers that are connected to the Internet and secure computers on the air-gapped network. One sample of Ramsay was disguised in a fake installer for the 7zip software. Other samples were delivered through malicious Rich Text Format (RTF) documents. The capabilities of Ramsay to jump the air-gap are rare—not many types of malware have this ability. Researchers originally found a sample of the malware through VirusTotal that was uploaded from Japan which then led researchers to find further components and versions of the framework. ESET stated that this malware is still in the developmental stage and they have not been able to identify the document exfiltration capability within it. No formal attribution has been linked to this newly discovered malware, but researchers did state that there are a large number of similarities to Retro, a malware that has been linked to DarkHotel, a group operating in South Korea.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in