New Ramsay malware can steal sensitive documents from air-gapped networks
Attacking an air-gapped network is difficult, but more difficult is stealing data from such air-gapped networks. We have had instances of hackers and researchers hacking air-gapped computers through sound waves and power supply but none were able to retrieve data from the air-gapped computer. Imagine a new malware strain that has been crafted specially to infect and steal data from such air-gapped computers. The new poster boy of malware universe is the new Ramsay malware strain. The researchers from cyber-security firm ESET stated today that they discovered a never-before-seen malware framework with advanced capabilities that are rarely seen.
To understand the new strain of Ramsay malware we have to understand how an air-gapped computer works.
What is an Air-Gapped PC?
An air-gap is a computer or system of computers that never connect to the internet. Such computers don’t have the means to connect to another device that connects to the internet. This makes air-gapped computers desirable in situations involving extremely important information, like military bases and financial institutions. The lack of an IP address or any outgoing data means these machines can only transmit information through physical media.
Ramsay is the name of a very potent cyber-espionage framework used by cybercriminals to steal from computers. ESET researchers have discovered a new strain of the malware that appears to be specifically designed to infect air-gapped computers, collect Word and other sensitive documents in a hidden storage container, and then wait for a possible exfiltration opportunity.
We initially found an instance of Ramsay in VirusTotal. That sample was uploaded from Japan and led us to the discovery of further components and versions of the framework, along with substantial evidence to conclude that this framework is at a developmental stage, with its delivery vectors still undergoing fine-tuning.
Ramsay infections are low. Maybe because it is used more in espionage than to infect businesses.
“We initially found an instance of Ramsay in VirusTotal. That sample was uploaded from Japan and led us to the discovery of further components and versions of the framework.”
ESET researcher Ignacio Sanmillan.
ESET had discovered the earlier version of Ramsay malware in September 2019 (Ramsay v1), and two other versions in early and late March 2020 (Ramsay v2.a and v2.b).
This is the latest strain that they have discovered which is specially crafted for air-gapped networks. Eset researchers said that the latest strain also appears to be a beta of the final version and the hackers are still tinkering with the code. The researchers said that the new Ramsay version uses a PDF and ZIP files, on top of Word documents for delivery.
While Eset is unable to find out who might be the author of Ramsay malware, they say the malware contained a large number of shared artifacts with Retro, a malware strain previously developed by DarkHotel. DarkHotel is a state-sponsored hacker group of South Korea and mainly operates against its arch-enemy North Korea.