Ramsay Trojan designed to target air-gapped systems

Ramsay is a highly sophisticated information-stealing trojan and associated espionage framework capable of operating on air-gapped systems. First observed in September 2019, it is believed to have been created by or for the Darkhotel advanced persistent threat group.

An air-gapped computer is isolated from unsecured networks, meaning that it is not directly connected to the internet, nor is it connected to any other system that is connected to the internet. 

Since first being observed, Ramsay has gone through two major iterations, with both introducing new delivery mechanisms. Ramsay v1 is distributed via malicious documents containing an initial VBS script, a CVE-2917-0199 exploit, and a PE file disguised as a JPEG image. Versions 2.a and 2.b both exploit CVE-2017-11882, with 2.a being delivered disguised as legitimate file utilities, whilst 2.b is again delivered by malicious documents.

Once installed, Ramsay will edit several registry keys, create multiple scheduled tasks, and inject itself into a running process in an attempt to maintain persistence. Later variants will also use MSDTC and phantom DLL hijacking techniques. If successful, Ramsay scans all connected drives and removable media for target files, which are then stored in a preliminary collection directory. When complete, Ramsay encrypts this directory with the RC4 algorithm before compressing it using an embedded WinRAR instance. Ramsay then adds a magic value to the archive before adding this value to each Word document on the system. Whilst it is currently unclear how these archives are exfiltrated, it is believed that a secondary unidentified component scans the affected file system for these magic values in order to identify the archives to extract.

Additionally, Ramsay 2.a and 2.b are able to propagate across networks, although this functionality appears to be disabled in version 2.b. Certain Ramsay variants also implement a network scanner able to identify EternalBlue vulnerable systems, with any scan results included in the collection directory.

Further information – https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/

Indicators of Compromise (IoCs) – SHA1

Win32/TrojanDropper.Agent.SHN (Initial Installer)
f79da0d8bb1267f9906fad1111bd929a41b18c03

Win32/Ramsay.A (Installer Launcher)
62d2cc1f6eedba2f35a55beb96cd59a0a6c66880

Win32/HackTool.UACMe.T (UAC Bypass Module)
baa20ce99089fc35179802a0cc1149f929bdf0fa

Win32/HackTool.UACMe.T (UAC Bypass Module)
5c482bb8623329d4764492ff78b4fbc673b2ef23

Win32/TrojanDropper.Agent.SHM (Spreader)
e7987627200d542bb30d6f2386997f668b8a928c

Win32/TrojanDropper.Agent.SHN (Malware Installer)
3bb205698e89955b4bd07a8a7de3fc75f1cb5cde

Win32/HideProc.M (HideDriver Rootkit)
bd8d0143ec75ef4c369f341c2786facbd9f73256

Win32/HideProc.M (HideDriver Rootkit)
7d85b163d19942bb8d047793ff78ea728da19870

Win64/HackTool.Inject.A (Darkhotel Retro Backdoor Loader)
3849e01bff610d155a3153c897bb662f5527c04c

Win32/Ramsay.B (Ramsay Initial Installer (version 2.b)
50eb291fc37fe05f9e55140b98b68d77bd61149e

Win32/Exploit.CVE-2017-11882.H RTF file that drops Ramsay Initial Installer
87ef7bf00fe6aa928c111c472e2472d2cb047eae

Win32/Ramsay.C (Ramsay Agent DLL (32bits)
5a5738e2ec8af9f5400952be923e55a5780a8c55

Win32/Ramsay.C (Ramsay Agent EXE (32bits)
19bf019fc0bf44828378f008332430a080871274

Win32/Ramsay.C (Ramsay Agent DLL (32bits)
bd97b31998e9d673661ea5697fe436efe026cba1

Win32/Ramsay.C (Ramsay Agent DLL (32bits)
eb69b45faf3be0135f44293bc95f06dad73bc562

Win64/Ramsay.C (Ramsay Agent DLL (64bits)
f74d86b6e9bd105ab65f2af10d60c4074b8044c9

Win64/Ramsay.C (Ramsay Agent DLL (64bits)
ae722a90098d1c95829480e056ef8fd4a98eedd7