Ramsay Malware

A new malware, called Ramsay, can jump air gaps:

ESET said they’ve been able to track down three different versions of the Ramsay malware, one compiled in September 2019 (Ramsay v1), and two others in early and late March 2020 (Ramsay v2.a and v2.b).

Each version was different and infected victims through different methods, but at its core, the malware’s primary role was to scan an infected computer, and gather Word, PDF, and ZIP documents in a hidden storage folder, ready to be exfiltrated at a later date.

Other versions also included a spreader module that appended copies of the Ramsay malware to all PE (portable executable) files found on removable drives and network shares. This is believed to be the mechanism the malware was employing to jump the air gap and reach isolated networks, as users would most likely moved the infected executables between the company’s different network layers, and eventually end up on an isolated system.

ESET says that during its research, it was not able to positively identify Ramsay’s exfiltration module, or determine how the Ramsay operators retrieved data from air-gapped systems.

Honestly, I can’t think of any threat actor that wants this kind of feature other than governments:

The researcher has not made a formal attribution as who might be behind Ramsay. However, Sanmillan said that the malware contained a large number of shared artifacts with Retro, a malware strain previously developed by DarkHotel, a hacker group that many believe to operate in the interests of the South Korean government.

Seems likely.

Details.

Tags: airgaps, databases, malware, South Korea, threat models

Posted on May 18, 2020 at 6:15 AM • 11 Comments

Comments

Dark_Intel • May 18, 2020 8:58 AM

Ramsey can not steal files from an air-gapped computer.

I am surprised and sad that even you didn’t notice what the researcher did here to be in headlines and how these media sites also didn’t challenge the claim or asked for any evidence.

The researcher said he found a few samples of malware that doesn’t do anything extraordinary except copying files from one folder to another and rewriting/infecting executables in connected share or removable drives and is still under development.

Can you find where the researcher provided evidence that suggests this software is designed for air-gap computers rather than being an incomplete piece of work that suppose to have a C&C module?

“Since it doesn’t want to communicate via the network, it’s for tailored for air-gap networks.”

LOL, with that logic, every malware is designed for air-gap networks; doesn’t matter if they have a way to communicate or not.

Even if there’s a separate technique or USB-based malware that could exfiltrate data from a folder, it’s not part of Ramsey’s codebase and applies as a different attack vector.

Clive Robinson • May 18, 2020 2:29 PM

@ Bruce,

Honestly, I can’t think of any threat actor that wants this kind of feature other than governments:

Corporate / Industrial espionage would be high on my list.

It is afterall an electronic form of “dumpster diving”.

But years ago now there was a conversation on this blog about airgap crossing. As I’ve pointed out “Fire and Forget” malware to attack voting machines is a quite serious use for “airgap crossing”. Now you might argue that it was a “Foreign Government” (select one of the usual four[1]). However with the likes of Cambridge Analytica and Geof Thiels Palantir, it should be obvious just how much money is involved at the corporate level especially in the likes of Facebook etc. So any of the large US Political donors who have vast amounts of “black money” riding on things would be using the intel that such software could obtain.

The question is how do such corporates and Government entoties “cover it up?”. Well the UK police found before their investigations got hastily stopped by a UK Government Minister, that Cambridge Analytica was effectively “money laundering” through the likes of Russia to not just cover their tracks but to run it as a “False Flag Operation” as well… Further the US Gov IC entities have managed to loose various of their hacking tool and False Flag tools as well. Some of this we know fairly quickly got reverse engineered by non governmental groups or factions, including Ransom-ware…

[1] There is little doubt that any Government with the capabilities to develop what is at the end of the day moderately simple airgap crosing software will do it along with a whole slew of corporate entities as well. However for reasons known only to the US Government it always has to be one of,

1, China
2, Iran
3, North Korea
4, Russia

And only ever one of them at any one time. People realy should question this because to be polite it makes absolutly no sense except as politically enspired propaganda.

RealFakeNews • May 18, 2020 4:48 PM

Other versions…appended copies of the Ramsay malware to all PE (portable executable) files…mechanism the malware was employing to jump the air gap and reach isolated networks

…so it isn’t jumping an air gap as such, because a user was in the middle.

I’d consider it “jumping an air gap” if it could do so autonomously via e.g. some weird wireless bug/exploit or some bizarre problem like playing a sound on a computer and causing another computer to become inbfected. i.e. no human interaction.

Harry • May 18, 2020 7:33 PM

This program does not jump the air gap and I am shocked that you said it does. It makes it seem that either you didn’t read the description or you don’t understand what air-gap jumping is, neither of which should be the case.

Clive Robinson • May 18, 2020 9:39 PM

@ RealFakeNews,

I’d consider it “jumping an air gap” if it could do so autonomously via e.g. some weird wireless bug/exploit or some bizarre problem…

Ahh the evolution of the meaning of words…

You have to remember that the expression “air gap” preceded those like “sneeker-net” and even the likes of “Ethernet” by several decades.

It’s one of the reasons I coined the expression “energy gap” for a prevention of what you mean, which was not realy thought about when “air gap” was coined long ago.

The reason being if you go back to basic physics for information to be communicated you need two basic things,

1, A source of “Energy”.
2, A “Medium” for the energy to travel in.

Thus anything that is “gapped” kind of implies that the “Medium” is discontinuous. That is the “Shannon Channel” the medium forms is terminated in some manner. In essence there are only three things that can happen to the energy,

1, It can be “reflected” back to the source.
2, Via a transducer it can be converted to another form of energy.
3, It can be absorbed and disipated as the ultimate form of polution “heat”.

For the likes of TEMPEST / EmSec the second is the way information travels the furthest[1].

In free space the energy drops off either as an expanding surface of a sphere 1/(r^2) or as an expanding spherical volume 1/(r^3). However in many information channels the energy is constrained to a channel of constant cross section down which it travels and the loss of energy is then by absorbtion and thus proportional to the length of the channel or 1/r.

Thus consider as an energy source modulated by information the human voice, it radiates out and the energy drops off at a rate of 1/(r^2). However a microphone is a transducer and converts the energy of the sound signal to electrical energy that then travels down a pair of wires where the energy level now drops by 1/r, where it eventually reaches an ear piece that works like a microphone in reverse converting the electrical energy back to the mechanical energy we call sound. Thus the microphone is in effect a “generator” and the ear piece a “motor”.

Similar generator/motor effects exist with Electromagnetic (EM) radiation in fact conversion from a voltage (E) field to a magnetic (H) field is how an EM signal radiates out. If either field encounters either a conductor or dielectric the fields become distorted by it as they act as energy storage devices. Such devices either reradiate the energy or conduct it into some kind of channel that is called a transmission line. A single wire can act as both a radiator or transmission line thus can carry the EM signal a lot lot further than the normal 1/(r^2) would indicate. Also the wire can take an EM signal outside of any shielding or absorbing container.

This is the basic underlying effect that has given rise to TEMPEST which is the passive form of EmSec (there are active forms of EmSec as well that have basic similarities to RADAR signals and theory).

In effect the other basic underlying effect of TEMPEST is that information requires “bandwidth” to be transmitted. If there is insufficient bandwidth then higher frequency components get either absorbed or reflected. Without going into the complexities of what happens when signals reflect in a transmission line or in free space the net effect is the high frequency energy can end up in the lower frequency range and eventually get through the available bandwidth creating considerable distortion and interference. In times past such effects would have made the information usless. However if things are stable they become predictable in effect and modern signal processing can undo quite a few of the distortion and interferance effects (much like in the old days of analogue television you could still work out what the picture was despite heavy “ghosting” and “snow”).

Which is why you realy need to stop the energy getting out by “gapping” and ensuring that it is not just “absorbed” but absorbed by a sufficient mass that it’s bandwidth is several orders of magnitude below that of the lowest information frequency components.

Oh by the way, all the above is based on “basic physics” and you can find most of it in various undergraduate level texts including those for “hobbies” such as Ham/Amature Radio and some professional texts on practical aspects of Electromagnetic Compatibility (EMC) design.

For years various Five-Eyes countries tried to keep the application of such knowledge “classified” and in some places TEMPEST “rules” are still classified at “Secret” and above as are most aspects of “Active EmSec”. I will let others draw their own conclusions about such behaviours, but even though it sounds Orwellian it applies more broadly than you might expect.

This is because there is a slight difference between privacy and secrecy. Secrecy is a subset ot privacy when it comes to information as it applies the notion of asymetric warfare to it. That is privacy is simply restricting access to information often for defensive reasons that is to limit the likes of embarrassment, and protect assets from theft etc. Secrecy is realy about offense not defense, that is to hide an advantage from a perceived enemy. Thus knowing a weakness in your perceived enemies secure systems is a significant advantage as it adds to your offensive capabilities acting in effect as a “force multiplier”.

[1] Oh the code name[2] TEMPEST came about long after the effects it is based on were already in use. Put simply back in World War One, “field telephones” could work with just one wire as opposed to the two wires we normally associate with “telephone pairs”. The return path in such a single wire phone is “ground” that is you bang in a couple of earth spikes one at either phone. The idea of using “ground return” long proceeded telephones in that the old “telegraph” system used it and “wireman sets” required a “ground” spike and had a pole like a shepards crook that hung over the telegraph wire to make connection to not just send but “listen in”. Thus by WWI it was well known amongst wiremen that you could “listen in” by putting a test set from the signal wire to ground. What some others knew was that you could in effect make a “Bridge Circuit” by banging in two earth spikes several yards appart and picking up the “ground return” signal from a one wire field telephone. Importantly as the ground return current “spreads out” rather like those iron filling and magnet images you would have seen at school to show “lines of force” your two ground spikes can be some distance to the side of the field telephone you are trying to listen into. Thus even in WWI there were secret intelligence teams exploiting the effects and gathering information from enemy field telephones that later got classified under the TEMPEST code word.

[2] The use of “code words” is usually associated in the public mind as being for classifications above “secret” that you have to be “read into”. It’s not, the basic security classifications are hierarchical and apply across all information irrespective of what it is about. Code words are used to segregate “domains of classified information”. Thus you can have the peculiar situation where unclasified information is covered by a code word that is classified as secret. However when you think about it logically it does make sense. Think of it in commercial terms, that is a pharmaceutical company decides to develop a new drug, just knowing that they are interested in as little as two chemical compounds could give a domain specific expert sufficient information to accutately predict the intention of the research. Thus using code words to obfuscate information Orwellian as it might appear does add a layer of security, in the same way as blinds/curtains at windows do for privacy.

Clive Robinson • May 18, 2020 11:26 PM

@ Harry,

This program does not jump the air gap and I am shocked that you said it does.

Actually it does “jump the air gap” all be it only in one direction, and it’s actually quite a significant point to realise.

You are making a fatal assumption that “Ramsey” as described in the three versions that ESET has seen are,

1, The only versions.
2, Is the only tool involved.

If you understood the nature of both “fire and forget” and “directed” APT you would understand the advantages of using seperate tools and evolving other tools over time.

Think of “Ramsey” being the equivalent of GCHQ and the NSA developing weaknesses to use as “implants” or as happened with Crypto AG “manufactured in back doors”. The fact you have added a weakness to as many “targets of opportunity” as you can does not mean that they are “targets of interest” either currently or in the future, just that they might be. You can not predict the future with any certainty thus likewise you do not know today who “a person of interest” might be the day after tommorow.

The realy interesting thing that Ramesy does is it “builds a historical database without exfiltration”. This marks what it does as an “Intelligence tool” of an organisation out on the hub of the Internet. Thus the question is even though this is a Level 3 tool is it actually “Nation State” or “International Company” in origin, it might well be the later.

I pointed out well over a decade ago both on this blog and the lightthebluetouchpaper blog –where I upset Richard Clayton because he assumed bot nets were of little more than a nuisance– that the then “bot net herders” were not thinking about how to monetize their “purloined assets”, and indicated that exactly this sort of intelligence gathering activity is almost exactly what I would be doing.

But I doubt that answers your thoughts on the apparent lack of exfiltration of data. To understand this you have to understand the probabilistic nature of malware detection.

Provided your computer does not slow down or start behaving oddly, most people would have no reason to think that there was malware on their computer. Even the average user finding a directory with all their doccument and other files might just assume it was some kind of “backup utility” they were unaware of put in by the AV software, or part of the OS or other application after all this is exactly the kind of behaviour various “backup to cloud” and “desktop sync” functionality that has happened over the past decade or so.

Even in a corporate environment it might well pass without comment. However what almost certainly would get picked up is all that data being exfiltrated across the network to a command and control server, because it is “noisy” and thus attracts attention at all sorts of levels including foreign nation SigInt agencies, who are actually continuously on the look for such things.

Thus if you are doing APT you want to be as quiet as possible in that regard.

However as an Intelligence Agency one of the most important things is “Historical Information” because it alows analysts to see trends from which they can make predictions, or they can look back over to find contacts etc that have now been hidden etc. It is after all the reason we believe Blufdale in Utah exists. For the NSA embedded at the center of the Internet and hidden away in the network infrastructure atleast one or more routers upstream of potential targets hoovering up data on mass is not “visable” to targets thus it’s “out of sight out of mind” to targets thus not noisy (which is why Google got publically upset with the NSA when the news became public the NSA had tapped Google’s unencrypted backhauls on their distributed sites).

What Ramesy is doing is building exactly the same kind of “historical database”. Only unlike the Blufdale center it’s distributed, has no network connection costs or for that matter storage costs. I’ve no idea what Blufdale costs the NSA to run every year but I suspect it’s way way bigger than quite a few small nations GDP. The other issue with Blufdale is of course that only a tiny fraction of a percent of the data in there will ever be looked at, let alone used by analysts. Thus Ramsey is way way more efficient and costs who ever originated it next to nothing for storing the data.

But that still leaves a problem, exfiltration of data from a targets systems is a noisy activity. You have two basic choices “long and slow” or “fast and furious” thus capacity and noise wise the difference between a push bike and a Satan V rocket. Thus you realy would want to keep your options open for how to exfiltrate the information from a targets site. Once you have made that decision a whole load of other factors come into play, all of which push the idea that having seperate tools one for installing the database builder and many others for exfiltrating the data is a good idea. Two of which are is it keep the tools smaller and it opens up your options.

Also look at it this way the tool most likely to get found is the one that is noisiest. Thus keeping it small and focused leaks less information about the organisation behind Ramsey and also any AV or similar “signiture” will be for the exfiltration tool not the data collection tool thus potentially protecting the investment in the data collection tool.

So only having a “one way” crossing of an air gap in the APT data collection tool makes a whole lot of sense especially if the delivery system is “fire and forget” as opposed to targeted.

It’s the way I would expect a professional APT developer to proceed especially if infact it was a team of developers who were for security reasons “compartmentalized” which is what you would expect in a Level 3 national agency, that did not have the advantage of being at the center of the web such as the NSA or at significant “choke points” such as GCHQ or others of the Five Eyes.

As the old saying has it “First walk a mile in the other man’s shoes”.

Rampart • May 19, 2020 2:58 PM

I’m confused by this blog post. Aren’t airgapped machines physically isolated from adjacent networks? If this is the case, how could it be possible for an infection to occur in said machine?

Clive Robinson • May 19, 2020 3:30 PM

@ Rampart,

Aren’t airgapped machines physically isolated from adjacent networks? If this is the case, how could it be possible for an infection to occur in said machine?

The answers respectively are “Yes” and “quite easily”.

If you think about what a computer does it’s fairly simple,

1, Obtain information.
2, Process the information.
3, Output the results of processing.

The problem is that computers actually have very small local storage compared to the quantity of information they take in and the information they output.

Thus you fairly quickly realise that information has to come from and go to somewhere outside the “air gapped” system for it to be usefull.

It’s highly unlikely that someone will sit at a keyboard and type it all in from printed information. We started to stoped doing that before the Intel Ia286 was put in an IBM PC AT.

Back then data arived and left via “Sneaker-Net” for those under the age of fifty this ment carrying a 5.25 inch floppy disk from one machine to another because real computer networks were realy still in the development stage and a NIC could cost as much as the PC… Also the cable was the likes of “Twinax” for IBM’s token ring and RG213 coax for early Ethernet, both were “solid dialectric” cables around 2/3rds of an inch in diameter with a bend radius of around 18inches. Both required a specialised box of electronics actually mounted on the cable and a multi twisted pair cable no more than 6ft connecting it to the NIC.

Well if you think about it the 5.25inch floppy with 180Kbyte storage is the great great ancesster of the 32Gigabyte thumb drive USB devices we call “removable media”.

So where there is not a cable to get information in and out of an air gapped system the ages old “removable media” is still used.

This happens because very few people understand what is required for a “mandated choke point” and thus what is required to set them up correctly. For instance even though people think “Network Data Diodes” are “one way” many are not because of “error correction” that acts as a Shannon Channel in the opposit direction.

You could easily fill quite a large thick book with just a fraction of the things you need to know to set up a properly “mandated choke point” and thus few outside quite a select circle actually can do it effectively.

However if the information bandwidth is low there are ways you can do it wirh custom electronics using low data rate serial lines most call RS232 and microcontrolers that know how to filter data to find things that should not be alowed. The simple way to do this is to lose all but human readable plain text formating (CSV and the like). That is “fancy binary formats” get given the elbow in favour of what human eyes and brain can check.

Who? • May 21, 2020 4:15 PM

In the eighties all DOS-based computer viruses were very good at jumping air gaps. In fact, only a few PCs at that time were networked and these networks were local ones.

Ramsey :< • May 22, 2020 3:36 AM

The malware is called “Ramsay”, not “Ramsey”.

William • May 23, 2020 5:40 AM

Yes, you are right. This is “RAMSAY” not ramsey.
Please correct it. Thanks.

Ramsay Malware

Comments

Leave a comment Cancel reply