Ramsay Malware
   HOME

TheInfoList



Click Here for Items Related To - Ramsay Malware
OR:
Ramsay Malware on:   [Wikipedia]   [Google]   [Amazon]

Ramsay, also referred to as Ramsay Malware, is a cyber espionage framework and toolkit that was discovered by ESET Research in 2020. Ramsay is specifically tailored for Windows systems on networks that are not connected to the
internet The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...
and that also isolated from intranets of companies, so called air-gapped networks, from which it steals sensitive documents like Word documents after first collecting them in a hidden storage folder. ESET researchers found various versions of the malware, and believe that in May 2020 it was still under development. They numbered the versions Ramsay Version 1, Ramsay Version 2a and Ramsay Version 2b. The very first encounter with the malware was a sample that was uploaded from Japan to VirusTotal. The first version was compiled in September 2019. The last version that they found was most advanced. The discovery of Ramsay was seen as significant as malware is rarely able to target physically isolated devices.


Authorship

While authorship has not been attributed, it has many common artefacts with Retro, a backdoor by hacking entity Darkhotel believed to operate in the interests of
South Korea South Korea, officially the Republic of Korea (ROK), is a country in East Asia, constituting the southern part of the Korean Peninsula and sharing a land border with North Korea. Its western border is formed by the Yellow Sea, while its eas ...
.


Workings of the malware

The three versions of Ramsay that ESET found have different workings. Ramsay version 1 does not include a
rootkit A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the exis ...
, whilst the later versions do. Ramsay version 1 and 2.b exploit CVE-2017-0199, a "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API." Version 2.b also uses exploit CVE-2017-11882 as an attack vector. The way in which Ramsay can spread is via removable media like
USB stick A USB flash drive (also called a thumb drive) is a data storage device that includes flash memory with an integrated USB interface. It is typically removable, rewritable and much smaller than an optical disc. Most weigh less than . Since first ...
s and network shares. In this way, the malware can jump the air gap.


References

{{Reflist


External links


WeLiveSecurity article on Ramsay as saved in the Internet ArchiveESET press release on Ramsay as saved in the Internet Archive
Rootkits Windows trojans Computer security exploits Security breaches Cybercrime Cyberwarfare