Expert Comments

Expert Insight On Ramsay Malware Targets Air-Gapped Networks

Expert(s): Security Experts
Expert(s): Security Experts

In response to new research from ESET on the discovery of the Ramsay malware toolkit targeting air-gapped networks, Cybersecurity experts commented below.

Experts Comments

Dot Your Expert Comments
Mounir Hahad
May 15, 2020
Head
Juniper Threat Labs, Juniper Networks

Most malware that operates in air-gap networks are destroyers.
It seems this spyware platform is really worried about being detected by traditional network security devices and, therefore, eliminates the use of typical command and control communication channels that are network based. This does indeed fit the air-gap target network theory well, but I suspect it is expected to be used even in connected networks. After all, the original infection vector via email needs to find its way to the victim’s network somehow. I also believe that the glutenous.....Read More
It seems this spyware platform is really worried about being detected by traditional network security devices and, therefore, eliminates the use of typical command and control communication channels that are network based. This does indeed fit the air-gap target network theory well, but I suspect it is expected to be used even in connected networks. After all, the original infection vector via email needs to find its way to the victim’s network somehow. I also believe that the glutenous nature of the collector may make for a very large amount of data to exfiltrate, which even when compressed might trigger DLP tools as they are being exfiltrated over the network. This would explain why the malware is not attempting straightforward exfiltration. As much as infecting air-gap networks is difficult, exfiltrating data from them is even more difficult, which is why most malware that operates in air-gap networks are destroyers. One of the modules of this platform must have a probe looking for internet connectivity. Unless that exfiltration method is identified, I think the jury is still our’s as to understanding the full picture of this malware.  Read Less
Chris Clements
May 15, 2020
VP
Cerberus Sentinel

The Ramsay malware has all the hallmarks of a state-sponsored intelligence operation.
The Ramsay malware has all the hallmarks of a state-sponsored intelligence operation. It has capabilities to restrict its behavior to specific targets, which are typically not seen in general cybercrime malware built to infect indiscriminately. It’s designed to spread itself onto air-gapped computers which are found in the highest security networks such as those used by militaries and other intelligence organizations. In 2008 the US Central Command (CentCom) air-gapped network was.....Read More
The Ramsay malware has all the hallmarks of a state-sponsored intelligence operation. It has capabilities to restrict its behavior to specific targets, which are typically not seen in general cybercrime malware built to infect indiscriminately. It’s designed to spread itself onto air-gapped computers which are found in the highest security networks such as those used by militaries and other intelligence organizations. In 2008 the US Central Command (CentCom) air-gapped network was compromised when an adversary packaged infected thumb drives in stores near the base. When service members bought and inserted these drives into their computers, the malware activated and spread throughout the high security military network. The lack of any apparent data exfiltration mechanism is a strong indicator that this malware is still in the development stages and hasn’t been widely deployed yet. The presence of Korean language metadata and code similarities to the “Retro” malware strain by the DarkHotel group could indicate that the South Korean government is involved in Ramsay’s creation, although attribution is fraught in these instances as false-flag operations are techniques that can be used by intelligence agencies.  Read Less

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

15 Schools Hit By Cyberattack In Nottinghamshire

Qualys Hit With Ransomware And Customer Invoices Leaked

Experts Reaction On PrismHR Hit By Ransomware Attack

Expert Insight On Ryuk’s Revenge: Infamous Ransomware Is Back And...

ObliqueRAT Trojan Lurks On Compromised Websites – Experts Comments

Microsoft Multiple 0-Day Attack – Tenable Comment

Experts Reaction On Malaysia Airlines 9 Years Old Data Breach

IoT Security In The Spotlight, As Research Highlights Alexa Security...

Oxfam Australia Confirms ‘Supporter’ Data Accessed In Cyber Attack

Expert Reaction On Solarwinds Blames Intern For Weak Passwords