New Ramsay Malware Targets Air-Gapped Systems

Recently, several samples of a new malware toolkit, Ramsay has been discovered. Collecting critical files from computers cut off from the internet, the malware has targeted many organizations to date.

Let’s meet Ramsay!

  • Researchers at ESET, a cybersecurity company, detected one Ramsay sample on the VirusTotal scanning platform, which was uploaded from Japan.
  • Atleast three variants of the malware exist, namely, v1, v2.a, and v2.b. While Ramsay v1 is the least complex, v2.a and v2.b are more elaborate and come with a rootkit component.
  • Ramsay 2.a has spreading capabilities and can infect any portable executable present on targeted drives.
  • According to the research, the less complex versions of the malware are dropped by malicious documents exploiting CVE-2017-0199 and CVE-2017-11882.
  • The lack of spreading functionality in other versions of the malware could hint at targeting specific air-gapped systems and not the entire network.
  • Ramsay’s purpose is to steal files from a compromised host. All the three variants collect every Microsoft Word document on the file system of the target computer and hunt for ZIP ‌ archives and PDF files on network and removable drives.
  • The collected files are encrypted with the RC4 cipher and compressed with WinRAR. Then, a container artifact is generated to hide the files on the system and simplify extraction.

What’s more?

  • Ramsay targets air-gapped systems that are isolated from the internet to stop threat actors from directly communicating with victim systems.
  • Another component of Ramsay exists to pull out data and deliver commands to the local implant.
  • Attackers can compromise an internet-connected system used by an employee to transfer files to a host on an air-gapped network.  

Is there a connection with DarkHotel?

  • ESET discovered some relevance between Ramsay and Retro backdoor used by the DarkHotel threat group. As per the research, Ramsay and Retro backdoor leverage the same API to generate globally unique identifiers (GUIDs) for the impacted systems as well as a similar algorithm to encode it.
  • Besides, both saved a few log files using the same naming convention and used the same open-source tools for privilege escalation and for installing some of their components.
  • However, all this evidence cannot be considered reliable for a connection with DarkHotel.