It seems this spyware platform is really worried about being detected by traditional network security devices and, therefore, eliminates the use of typical command and control communication channels that are network based. This does indeed fit the air-gap target network theory well, but I suspect it is expected to be used even in connected networks. After all, the original infection vector via email needs to find its way to the victim’s network somehow. I also believe that the glutenous nature of the collector may make for a very large amount of data to exfiltrate, which even when compressed might trigger DLP tools as they are being exfiltrated over the network. This would explain why the malware is not attempting straightforward exfiltration. As much as infecting air-gap networks is difficult, exfiltrating data from them is even more difficult, which is why most malware that operates in air-gap networks are destroyers. One of the modules of this platform must have a probe looking for internet connectivity. Unless that exfiltration method is identified, I think the jury is still our’s as to understanding the full picture of this malware.  Read Less

The Ramsay malware has all the hallmarks of a state-sponsored intelligence operation. It has capabilities to restrict its behavior to specific targets, which are typically not seen in general cybercrime malware built to infect indiscriminately. It’s designed to spread itself onto air-gapped computers which are found in the highest security networks such as those used by militaries and other intelligence organizations. In 2008 the US Central Command (CentCom) air-gapped network was compromised when an adversary packaged infected thumb drives in stores near the base. When service members bought and inserted these drives into their computers, the malware activated and spread throughout the high security military network. The lack of any apparent data exfiltration mechanism is a strong indicator that this malware is still in the development stages and hasn’t been widely deployed yet. The presence of Korean language metadata and code similarities to the “Retro” malware strain by the DarkHotel group could indicate that the South Korean government is involved in Ramsay’s creation, although attribution is fraught in these instances as false-flag operations are techniques that can be used by intelligence agencies.  Read Less