Malware analysis

Ramsay malware: What it is, how it works and how to prevent it | Malware spotlight

Greg Belding
July 23, 2020 by
Greg Belding


The unique functionality of things normally makes them as much of a point of interest as an oddity. Malware is no exception to this notion and a malware framework known as Ramsay provides a great example of it. 

Unlike nearly every other malware, Ramsay has the ability to jump air gaps in an organization’s network to infect computers. 

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

This article will detail what Ramsay is, how it works and how you can defend against it. This advanced functionality makes Ramsay particularly important for malware researchers to study and may provide knowledge useful in preventing malware with this functionality in the future.

What is Ramsay?

In September of 2019, researchers at ESET discovered a malware framework dubbed Ramsay. This malware was designed to jump air gaps in an organization’s network to infect computers that would otherwise be isolated from malware (unless a user installs an infected device such as a USB drive). 

Air gaps are generally considered to be one of the most effective and strict information security measures and are used extensively in both manufacturing and critical infrastructure. Attackers know this, which is why getting into an air-gapped network has been called the “Holy Grail” of security breaches.

Researchers have observed three different versions of Ramsay. Version 1 was distributed via malicious Office document attachments to emails which exploited CVE-2017-0199, a Microsoft Word remote execution flaw, to facilitate the malware installation. This exploit allows attackers to launch malicious code when an RTF document is launched. VirusTotal has discovered several different versions of these documents with indications that may have been used to test how well Ramsay performed vis-à-vis vendors’ static engines. 

Newer Ramsay versions, v2.a and v2.b, were observed being distributed as malicious installers masquerading as popular applications, including 7zip. These versions allowed for more aggressive spreading via infecting portable executable (PE) files residing on connected removable drives. Ramsay v2.b has been observed exploiting CVE-2017-11882, which allows for arbitrary code execution in different versions of MS Office as the current user and is a marked step-up of malicious functionality.

It should be noted that researchers have observed some shared artifacts in Ramsay that are also used in the Retro backdoor. While it is still not known for sure who is behind the Ramsay malware, the similarities it has with Retro may indicate that Darkhotel, an APT which is considered to be in the interests of the South Korean government, is behind it.

As the future unfolds, researchers are likely to discover more about this malware which will help in fighting the “spreading of its wings” or moving out of the realm of being focused on highly-targeted, specialized attack campaigns and into a broader attack landscape.

How Ramsay works

The main role of Ramsay is to gather ZIP, Word and PDF files, hide them in a concealed folder and then exfiltrate them at a later time. What is of more interest is how Ramsay jumps air gaps to infect computers. While it is still not entirely known how it does this, we do know some things. 

Malware cannot jump air gaps without some novel functionality that is as of yet unknown to the general information security public. This does not mean that air-gapped computers can’t become infected; when they do, it is normally due to infected removable drives. Researchers currently find that the most likely way for Ramsay to jump the air gap is by infecting PE on removable drives, where the malware is downloaded when the file is executed. This spreading mechanism was first witnessed in the later versions of this malware framework and has been described as highly aggressive.

After infection, several modules execute, which unleashes the core capabilities of the malware. These capabilities gather all ZIP files, Microsoft Word documents and PDF files. Ramsay then allows for escalation of privileges, scans for removable drives and network shares and takes screenshots. 

It is currently unknown exactly how Ramsay exfiltrates the files it collects from infected systems. Researchers at ESET believe that Ramsay uses an external component that scans the infected computer’s file system for the malware’s hidden storage container’s magic values to identify where the files are.

Ramsay does not have a network-based central communication protocol, such as a C2 server. Rather, it uses a decentralized control protocol that appears tailor-made for operating on an air-gapped system. 

In terms of persistence, the malware uses several mechanisms. These persistence mechanisms include:

  • AppInit DLL registry key
  • Phantom DLL hijacking
  • Scheduled task via COM API

How to prevent Ramsay

So far, Ramsay’s victims have had a low visibility profile. This is likely because they are on air-gapped networks. With this said, this does not mean that the number of victims is truly as small as it seems. This is further obscured by the fact that portions of the malware are still under development, so we really have not seen it at full stride yet.

For those concerned with preventing Ramsay, most respected AV and anti-malware solutions can detect it. It is recommended to scan your removable drives and when you are not using them, simply disconnect them from your computer. While Ramsay may be able “jump” an air gap, it won’t be able to jump the gap of a disconnected removable drive.

If you are interested in researching Ramsay, here is its respective IOC (SHA):




















Ramsay is a malware that has gained notoriety for specialization in targeting systems isolated by an air gap. The point of interest here is that it seemingly “jumps” this air gap, presumably by infecting PE files on the removable drives connected to an infected computer. The drive is then used on the isolated computer and gains its beachhead on that system when the file is executed. 

We are still learning more about this malware. Researchers are monitoring the situation and watching for Ramsay to widen its attack landscape.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.



  1. Ramsay Malware Targets Air-Gapped Networks, Threatpost
  2. Why On-Device Detection Matters: New Ramsay Trojan Targets Air-Gapped Networks, SentinelOne Blog
  3. Ramsay: A New Cyber Espionage Toolkit to Steal Data from Air-Gapped Networks, CISO MAG
  4. Are Air-Gapped Networks Enough to Stop Malware? They Might Not Be for Long, CPO Magazine
Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.