Ramsay Malware

Ramsay, also referred to as Ramsay Malware, is a cyber espionage framework and toolkit that was discovered by ESET Research in 2020.

Ramsay is specifically tailored for Windows systems on networks that are not connected to the internet and that also isolated from intranets of companies, so called air-gapped networks, from which it steals sensitive documents like Word documents after first collecting them in a hidden storage folder.

ESET researchers found various versions of the malware, and believe that in May 2020 it was still under development. They numbered the versions Ramsay Version 1, Ramsay Version 2a and Ramsay Version 2b. The very first encounter with the malware was a sample that was uploaded from Japan to VirusTotal. The first version was compiled in September 2019. The last version that they found was most advanced.

The discovery of Ramsay was seen as significant as malware is rarely able to target physically isolated devices.

Authorship
While authorship has not been attributed, it has many common artefacts with Retro, a backdoor by hacking entity Darkhotel believed to operate in the interests of South Korea.

Workings of the malware
The three versions of Ramsay that ESET found have different workings.

Ramsay version 1 does not include a rootkit, whilst the later versions do.

Ramsay version 1 and 2.b exploit CVE-2017-0199, a "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."

Version 2.b also uses exploit CVE-2017-11882 as an attack vector.

The way in which Ramsay can spread is via removable media like USB sticks and network shares. In this way, the malware can jump the air gap.