According to specialists at the US cybersecurity firm Eset, the Ramsay malware is now very active in the world.
A study conducted by these researchers has shown that several instances of this malware attack information systems that are disconnected from conventional networks, in other words isolated computer systems.
This article will also interest you: A malicious program permanently on a smartphone model subsidized by the U.S. state
Apparently, components of this malware would have allowed network scanners to be implanted on machines in order to discover the sub-networks to which they were connected in order to compromise them, especially those who were vulnerable to the Eternalblue fault. « … some of Ramsay's components have implemented a network scanner for the discovery of machines not connected to the Internet (Air Gap) but known in the compromised host sub-network that are sensitive to the EternalBlue SMBv1 vulnerability. This information will be contained in all the recorded information Ramsay collects and can be exploited by operators in order to laterally perform lateral movements on the network via a different channel," the security firm's researchers explain.
This report by ESET researchers highlights something that is much unknown: the fact that even the computer systems of companies disconnected from the network are also targeted by cyber criminals, just as what usually work on public networks. The tool used in this context is the Ramsay program. Its special functionality allows it to analyze, infiltrate the isolated network, identify and collect all the data contained in the system. ESET, in a blog post notified that there are several variants of this program in circulation: "We initially found a Ramsay instance in VirusTotal. This sample was downloaded from Japan and led us to the discovery of other components and versions of the framework, as well as substantial evidence to conclude that this framework is at a stage of development, with its delivery vectors still being fine-tuned."
In addition, ESET researchers have not yet been able to identify Ramsay's true targets and variants. However, some victims have reportedly been identified by the cybersecurity firm. On this point, she prefers not to reveal any names. To reassure, ESET has indicated that it has updated the attack vectors used by Ramsay and its variants. These included the CVE-2017-0199 security flaw that allowed hackers to inject a malicious Visual Basic program into a folder, allowing Ramsay to be camouflaged in a JPG image. The second flaw, allows to usurp the privileges of a 7zip installer. And the third flaw would be the CVE vulnerability-2017-11882. According to the Eset researchers, Ramsay's variants could have been stalled at specific times such as:
– September 24, 2019, rootkit-free
– March 8, 2020, with rootkit and spreader
– March 27, 2020, with rootkit and no spreader
"Analysis of the different compilation time stamps found on different components implies that this framework has been under development since the end of 2019, with the possibility of having two versions currently kept to measure according to the configuration of different targets," the cybersecurity firm said.
On Ramsay-based attack mechanisms and their nature, ESET states: "Ramsay's architecture provides a series of surveillance capabilities via a logging mechanism designed to assist operators by providing a stream of actionable information to conduct exfiltration, control and lateral motion actions, as well as providing behavioral statistics and overall systems of each compromise system."
The security company explains that the Ramsay program, given its components, would have undergone several changes over the years. By studying the different attack vectors, the specialist highlights the fact that cybercriminals are in a multifaceted approach, allowing to try several contingencies while remaining cautious. "Based on the different instances of the framework found, Ramsay has gone through different stages of development, indicating an increasing progression in the number and complexity of its capabilities. Developers in charge of attack vectors seem to be trying different approaches such as old exploits for Word vulnerabilities from 2017 as well as deploying trojans, ESET says.
Now access an unlimited number of passwords: