Expert Insight On Ramsay Malware Targets Air-Gapped Networks

In response to new research from ESET on the discovery of the Ramsay malware toolkit targeting air-gapped networks, Cybersecurity experts commented below.

Experts Comments

May 15, 2020
Mounir Hahad
Head
Juniper Threat Labs, Juniper Networks
It seems this spyware platform is really worried about being detected by traditional network security devices and, therefore, eliminates the use of typical command and control communication channels that are network based. This does indeed fit the air-gap target network theory well, but I suspect it is expected to be used even in connected networks. After all, the original infection vector via email needs to find its way to the victim’s network somehow. I also believe that the glutenous.....Read More
It seems this spyware platform is really worried about being detected by traditional network security devices and, therefore, eliminates the use of typical command and control communication channels that are network based. This does indeed fit the air-gap target network theory well, but I suspect it is expected to be used even in connected networks. After all, the original infection vector via email needs to find its way to the victim’s network somehow. I also believe that the glutenous nature of the collector may make for a very large amount of data to exfiltrate, which even when compressed might trigger DLP tools as they are being exfiltrated over the network. This would explain why the malware is not attempting straightforward exfiltration. As much as infecting air-gap networks is difficult, exfiltrating data from them is even more difficult, which is why most malware that operates in air-gap networks are destroyers. One of the modules of this platform must have a probe looking for internet connectivity. Unless that exfiltration method is identified, I think the jury is still our’s as to understanding the full picture of this malware.  Read Less
May 15, 2020
Chris Clements
VP
Cerberus Sentinel
The Ramsay malware has all the hallmarks of a state-sponsored intelligence operation. It has capabilities to restrict its behavior to specific targets, which are typically not seen in general cybercrime malware built to infect indiscriminately. It’s designed to spread itself onto air-gapped computers which are found in the highest security networks such as those used by militaries and other intelligence organizations. In 2008 the US Central Command (CentCom) air-gapped network was.....Read More
The Ramsay malware has all the hallmarks of a state-sponsored intelligence operation. It has capabilities to restrict its behavior to specific targets, which are typically not seen in general cybercrime malware built to infect indiscriminately. It’s designed to spread itself onto air-gapped computers which are found in the highest security networks such as those used by militaries and other intelligence organizations. In 2008 the US Central Command (CentCom) air-gapped network was compromised when an adversary packaged infected thumb drives in stores near the base. When service members bought and inserted these drives into their computers, the malware activated and spread throughout the high security military network. The lack of any apparent data exfiltration mechanism is a strong indicator that this malware is still in the development stages and hasn’t been widely deployed yet. The presence of Korean language metadata and code similarities to the “Retro” malware strain by the DarkHotel group could indicate that the South Korean government is involved in Ramsay’s creation, although attribution is fraught in these instances as false-flag operations are techniques that can be used by intelligence agencies.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.