May 18

Ramsey Malware



This post was originally published on this site

A new malware, known as Ramsey, can jump air gaps:

ESET said they are able to locate three different variations of the Ramsay malware, one compiled within September 2019 (Ramsay v1), and 2 others within early and past due March 2020 (Ramsay v2.a and v2.b).

Each version was various and infected sufferers through different strategies, but at its core, the malware’s primary function has been to scan an contaminated computer, and collect Word, PDF, and ZIP paperwork in a concealed storage folder, prepared to be exfiltrated at a later time.

Other versions also integrated a spreader module that appended copies of the Ramsay malware to all or any PE (portable executable) data files found on detachable drives and network shares. That is thought to be the system the malware had been employing to leap the atmosphere gap and achieve isolated networks, as customers would probably moved the contaminated executables between your company’s different system layers, and eventually find yourself on an isolated program.

ESET states that during the research, it was unable to positively identify Ramsay’s exfiltration module, or regulate how the Ramsay operators retrieved information from air-gapped techniques.

Truthfully, I can’t think about any kind of threat actor that wants this sort of feature apart from governments:

The researcher have not produced a formal attribution as who may be behind Ramsay. Nevertheless, Sanmillan mentioned that the malware included numerous shared artifacts with Retro, a malware strain earlier produced by DarkHotel, a hacker team that many believe to use in the passions of the Southern Korean government.

Seems likely.


About the author 

Agent 86

Maxwell Smart, agent 86, is CONTROL's top spy (except for Bannister) and, later, the Chief of CONTROL.

You may also like

Brexit Deal Mandates Old Insecure Crypto Algorithms

Brexit Deal Mandates Old Insecure Crypto Algorithms

On the Evolution of Ransomware

On the Evolution of Ransomware

Russia’s SolarWinds Attack

Russia’s SolarWinds Attack
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!