Researchers have found a new cyber-espionage framework developed to collect and exfiltrate sensitive files from air-gapped networks not connected to the Internet. This framework, named Ramsay, has gone through several iterations as its developers test new approaches to attack.
The research team with cybersecurity firm ESET discovered its first Ramsay component earlier this year when a file uploaded to VirusTotal caught its attention, says Alexis Dorais-Joncas, head of ESET's Montreal-based research team. The researchers don't know precisely how long Ramsay has been active; however, they don't believe the framework was used in the wild before late 2019.
This initial sample was uploaded from Japan and led the research team to find more versions and components of Ramsay. The team also found "substantial evidence" indicating the framework was still undergoing development, with its operators still fine-tuning Ramsay's delivery vectors.
ESET telemetry shows Ramsay only has a small pool of victims. This reinforces the team's belief that the framework is still in development; however, the low visibility of victims could also be attributed to the discovery that Ramsay's targeted systems are in air-gapped networks not connected to the Internet. So far, it's clear Ramsay is a new form of malware; it's unclear who is behind it.
"We tried connecting Ramsay to existing groups/threat actors, but nothing emerged despite our best efforts," Dorais-Joncas explains. "We know Ramsay is a new malware, but we don't know if it is the work of an existing group that created a new tool or of a brand-new group."
The team has not been able to confirm any relevant details on Ramsay's targets or victims from a geolocation or industry point of view, ..
Support the originator by clicking the read the rest link below.
