Ramsay Malware Can Steal from Air-Gapped Systems
NJCCIC Alert
Original Release Date: 5/18/2020
Summary
Air-gapped systems are computers or networks isolated from an organization’s network and the public internet as they typically contain highly-sensitive data, such as classified documents or intellectual property. ESET researchers discovered three different versions of a new, developing malware framework, dubbed Ramsay, that can jump the air gap to infect these isolated systems and collect sensitive documents to a hidden container for exfiltration at a later time. Other features include a rootkit and spreader component that appends copies of the Ramsay malware to all portable executable (PE) files on removable drives and network shares, which is presumed to be the mechanism used to jump the air gap.
Recommendations
The NJCCIC recommends users adopt a defense-in-depth cybersecurity strategy, keep systems patched and up to date, and maintain cybersecurity best practices, including physical security. Additional technical information, including attack vectors, capabilities, and Indicators of Compromise (IoCs), can be found in the ESET article and the ZDNet article.
The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.
View our Privacy Policy here.
View our Site Index here.