I. Targeted Industries
- General Businesses
- Government Agencies
- Financial Institutions
- Industrial Manufacturing
- Power Plants
ESET researchers have discovered an unreported malware named Ramsay. This malware is used to collect and exfiltrate sensitive information with the unique capacity of operating within air-gapped networks. Malware such as the one discovered is rarely seen overlapping into air-gapped networks, which is seen as a strict and effective security measure companies can take to protect sensitive data.
The first instance of this malware was found on VirusTotal from Japan with timestamps around late 2019. This led researchers to obtain further components and versions of it. It is believed that the malware is still in development and is evolving with new techniques. Due to active framework development for this malware, and because it targets air-gapped systems, visibility of those impacted is low.
III. Background Information
Ramsay targets air-gapped networks, making the toolkit a formidable threat. An air gap is a security measure to ensure that computer networks are physically isolated from other, potentially unsecured networks, such as the public internet or an unsecured Local Area Network (LAN).
Three different samples of Ramsay malware have been discovered, each using different attack vectors and features to reach the target system. However, the malware’s attack vectors appear to still be undergoing some fine-tuning by threat actors, according to researchers. One version (Version 1) delivers through malicious documents exploiting CVE-2017-0199 vulnerability with the second version (Version 2a) impersonating a 7zip installer. Version 2a also contains a rootkit and a Spreader component that serves as a file infector, neither of which were identified in the first version. The third version (Version 2b) also delivers via malicious files using an older vulnerability CVE-2017-11882, however, this version lacks the Spreader component.
Ramsey also implements several persistence methods, including setting a scheduled task to persist after reboot and executing components as service dependencies. Once it has stolen data, it gathers it in a hidden location for later exfiltration. Exfiltration techniques are still under investigation by researchers, but they believe the malware is associated with the Darkhotel APT Group and shares artifacts with Retro Backdoor.
- Malware Monitoring
Continue to monitor and stay informed as new information and advancements occur with the malware.
- Incorporate Known IOC Into IDS
Incorporate the known IOC of the malware into your intrusion detection system to catch any suspicious behavior related to the malware
- Recommended Link: https://www.us-cert.gov/ncas/tips/ST06-008
V. Indicators of Compromise (IOCs)
The link below has been included to assist with the download of some identified IOC’s related to this Threat Advisory Report. Be on the lookout for these IOC’s, as well as anything that looks similar.
(1) Cimpanu, Catalin. “New Ramsay Malware Can Steal Sensitive Documents from Air-Gapped Networks.” ZDNet. ZDNet, May 13, 2020. https://www.zdnet.com/article/new-ramsay-malware-can-steal-sensitive-documents-from-air-gapped-networks/.
(2) Hashim, Abeerah. “New Ramsay Malware Can Steal Data From Air-Gapped Networks.” Latest Hacking News, May 17, 2020. https://latesthackingnews.com/2020/05/17/new-ramsay-malware-can-steal-data-from-air-gapped-networks/.
(3) O’Donnell, Lindsey. “Ramsay Malware Targets Air-Gapped Networks.” Threatpost English Global threatpostcom, May 13, 2020. https://threatpost.com/ramsay-malware-air-gapped-networks/155695/.
(4) Sanmillan, Ignacio. “Ramsay: A Cyber‑Espionage Toolkit Tailored for Air‑Gapped Networks.” WeLiveSecurity, May 13, 2020. https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/.