HOME

TheInfoList



Click Here for Items Related To - Ramsay Malware
OR:
Ramsay Malware on:   [Wikipedia]   [Google]   [Amazon]

Ramsay, also referred to as Ramsay Malware, is a cyber espionage framework and toolkit that was discovered by ESET Research in 2020. Ramsay is specifically tailored for Windows systems on networks that are not connected to the internet and that also isolated from
intranet An intranet is a computer network for sharing information, easier communication, collaboration tools, operational systems, and other computing services within an organization, usually to the exclusion of access by outsiders. The term is used in c ...
s of companies, so called air-gapped networks, from which it steals sensitive documents like Word documents after first collecting them in a hidden storage folder. ESET researchers found various versions of the malware, and believe that in May 2020 it was still under development. They numbered the versions Ramsay Version 1, Ramsay Version 2a and Ramsay Version 2b. The very first encounter with the malware was a sample that was uploaded from
Japan Japan ( ja, 日本, or , and formally , ''Nihonkoku'') is an island country in East Asia. It is situated in the northwest Pacific Ocean, and is bordered on the west by the Sea of Japan, while extending from the Sea of Okhotsk in the north ...
to VirusTotal. The first version was compiled in September 2019. The last version that they found was most advanced. The discovery of Ramsay was seen as significant as malware is rarely able to target physically isolated devices.


Authorship

While authorship has not been attributed, it has many common artefacts with Retro, a backdoor by hacking entity Darkhotel believed to operate in the interests of South Korea.


Workings of the malware

The three versions of Ramsay that ESET found have different workings. Ramsay version 1 does not include a rootkit, whilst the later versions do. Ramsay version 1 and 2.b exploit CVE-2017-0199, a "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API." Version 2.b also uses exploit CVE-2017-11882 as an attack vector. The way in which Ramsay can spread is via removable media like USB sticks and network shares. In this way, the malware can jump the air gap.


References

{{Reflist


External links


WeLiveSecurity article on Ramsay as saved in the Internet ArchiveESET press release on Ramsay as saved in the Internet Archive
Rootkits Windows trojans Computer security exploits Security breaches Cybercrime Cyberwarfare