Ramsay Malware Capable of Stealing Sensitive Documents From Air-Gapped Networks
Security researchers at ESET announced they found a malware framework never seen before, one with advanced capabilities. The malware is named Ramsay, a toolkit designed with features aimed at the infection of air-gapped systems, collecting Word and other sensitive documents. The toolkit hides the documents in a storage container, then waits for data exfiltration by its operators.
The discovery of the Ramsay malware bears importance, as malware rarely can infect air-gapped systems. Those are considered the most effective security measures a company may use to safeguard sensitive information.
Table of Contents
Air Gapped Systems as Advanced Security Measures
Air gapped systems are networks isolated from the rest of a company or government network. They are cut off from the public internet to increase security. Air-gapped networks and computers are found on the grounds of government agencies or companies, protecting intellectual property or confidential data. Access to that kind of network is difficult, especially since these systems often require physical interaction and intrusion due to the air gap and lack of connection to any device.
The New Ramsay Malware May Jump the Air Gap
A report published by ESET mentioned they discovered a rare malware strain that was made with the specific goal of jumping the air gap and reaching isolated networks. They were able to track the three separate versions of the Ramsay malware, the first one created in September 2019, the following two in March 2020. Each of the versions was different and infected its targets through a different method. The primary goal of the malware is to scan infected computers, gathering Word, ZIP, and PDF documents in a hidden storage folder, waiting for exfiltration when the opportunity presents itself.
Other versions have a spreader module that appends copies of the malware into all portable executable files on removable drives or network shares. The mechanism of the malware was believed to be employing the air gap and reaching isolated systems, as users were moving infected executables between the layers of different networks. That has likely been the way the Ramsay malware ends up on isolated systems.
The Ramsay Operators Are Still Unknown
ESET said that during the research, it wasn't possible to identify the Ramsay exfiltration module. They were also unable to determine how the Ramsay operators were retrieving data from air-gapped systems. Although that part of the attacks remains unknown, they managed to find an instance of the Ramsay malware uploaded from Japan in VirusTotal, leading to the discovery of its components and versions.
ESET researchers didn't make say who might be behind the Ramsay malware, but they said the malware had shared code with Retro, a malware developed by DarkHotel, a group believed to work in the interest of South Korea's government.