{"id":4818,"date":"2020-05-13T12:00:00","date_gmt":"2020-05-13T09:00:00","guid":{"rendered":"https:\/\/blog.eset.ee\/?p=4818"},"modified":"2020-05-13T21:56:57","modified_gmt":"2020-05-13T18:56:57","slug":"research-discovers-cyber-espionage-framework-ramsay","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2020\/05\/13\/research-discovers-cyber-espionage-framework-ramsay\/","title":{"rendered":"ESET Research discovers cyber espionage framework Ramsay"},"content":{"rendered":"\n<p>ESET researchers have discovered a previously unreported cyber espionage framework they dub Ramsay. The framework is tailored for collecting and exfiltrating sensitive documents from air-gapped systems that are not connected to the internet or other online systems. Since the number of victims so far is very low, ESET believes that this framework is under an ongoing development process.<\/p>\n\n\n\n<p>\u201cWe initially found an instance of Ramsay in a VirusTotal sample uploaded from Japan that led us to the discovery of further components and other versions of the framework along with substantial evidence to conclude that the framework is still in a developmental stage, with delivery vectors subject to fine testing,\u201d says Alexis Dorais-Joncas, head of ESET\u2019s Montreal-based research team.<\/p>\n\n\n\n<p>According to ESET findings, Ramsay has gone through several iterations based on the different instances of the framework found, denoting a linear progression on the number and complexity of its capabilities. The developers in charge of infection vectors seem to be trying different approaches, such as using old exploits for Microsoft Word vulnerabilities from 2017 and deploying trojanized applications for delivery, potentially via spear-phishing. The three discovered versions of Ramsay differ in complexity and sophistication, with the latest third version being the most advanced, especially with regard to evasion and persistence.<\/p>\n\n\n\n<p>Ramsay\u2019s<em> <\/em>architecture provides a series of capabilities managed via a logging mechanism:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>File collection and covert storage: <\/strong>The primary goal of this framework is to collect all existing Microsoft Worddocuments within a target\u2019s file system.<\/li><li><strong>Command execution:<\/strong> Ramsay\u2019s control protocol implements a decentralized method of scanning and retrieving commands from control documents.<\/li><li><strong>Spreading:<\/strong> Ramsay\u2019s embeds a component that seems to be designed to operate within air-gapped networks.<\/li><\/ul>\n\n\n\n<p>\u201cEspecially noteworthy is how the architectural design of Ramsay, especially the relationship between its spreading and control capabilities, allows it to operate in air-gapped networks \u2013 meaning networks that are not connected to the internet,\u201d says Dorais-Joncas.<\/p>\n\n\n\n<p><strong>Overview of discovered Ramsay\u2019s versions<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"652\" src=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/05\/graph-1-1024x652.png\" alt=\"\" class=\"wp-image-4831\" srcset=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/05\/graph-1-1024x652.png 1024w, https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/05\/graph-1-190x121.png 190w, https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/05\/graph-1-768x489.png 768w, https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/05\/graph-1-1536x978.png 1536w, https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/05\/graph-1.png 2000w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>For more technical details about Ramsay, read the blog post \u201cRamsay: A cyber espionage toolkit tailored for Air-Gapped Networks\u201d on WeLiveSecurity. Make sure to follow <a href=\"https:\/\/twitter.com\/ESETresearch\">ESET Research on Twitter<\/a> for the latest news from ESET Research.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>ESET researchers have discovered a previously unreported cyber espionage framework they dub Ramsay. The framework is tailored for collecting and exfiltrating sensitive documents from air-gapped systems that are not connected to the internet or other online systems. Since the number of victims so far is very low, ESET believes that this framework is under an<\/p>\n","protected":false},"author":5,"featured_media":4822,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[160],"tags":[],"class_list":["post-4818","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.2 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>ESET Research discovers cyber espionage framework Ramsay - ESET Eesti Blogi<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.eset.ee\/et\/en\/2020\/05\/13\/research-discovers-cyber-espionage-framework-ramsay\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"ESET Research discovers cyber espionage framework Ramsay\" \/>\n<meta property=\"og:description\" content=\"ESET researchers have discovered a previously unreported cyber espionage framework they dub Ramsay. The framework is tailored for collecting and exfiltrating sensitive documents from air-gapped systems that are not connected to the internet or other online systems. Since the number of victims so far is very low, ESET believes that this framework is under an\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.eset.ee\/et\/en\/2020\/05\/13\/research-discovers-cyber-espionage-framework-ramsay\/\" \/>\n<meta property=\"og:site_name\" content=\"ESET Eesti Blogi\" \/>\n<meta property=\"article:publisher\" content=\"http:\/\/www.facebook.com\/antiviirus\" \/>\n<meta property=\"article:published_time\" content=\"2020-05-13T09:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-05-13T18:56:57+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/05\/ramsay.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"628\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"ESET Blog\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ESET Blog\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/05\\\/13\\\/research-discovers-cyber-espionage-framework-ramsay\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/05\\\/13\\\/research-discovers-cyber-espionage-framework-ramsay\\\/\"},\"author\":{\"name\":\"ESET Blog\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#\\\/schema\\\/person\\\/876cf293277fc0b2ae2f4395fffe4c88\"},\"headline\":\"ESET Research discovers cyber espionage framework Ramsay\",\"datePublished\":\"2020-05-13T09:00:00+00:00\",\"dateModified\":\"2020-05-13T18:56:57+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/05\\\/13\\\/research-discovers-cyber-espionage-framework-ramsay\\\/\"},\"wordCount\":365,\"image\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/05\\\/13\\\/research-discovers-cyber-espionage-framework-ramsay\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/blog.eset.ee\\\/wp-content\\\/uploads\\\/2020\\\/05\\\/ramsay.jpg\",\"articleSection\":[\"malware\"],\"inLanguage\":\"en-US\",\"copyrightYear\":\"2020\",\"copyrightHolder\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/#organization\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/05\\\/13\\\/research-discovers-cyber-espionage-framework-ramsay\\\/\",\"url\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/05\\\/13\\\/research-discovers-cyber-espionage-framework-ramsay\\\/\",\"name\":\"ESET Research discovers cyber espionage framework Ramsay - ESET Eesti Blogi\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/05\\\/13\\\/research-discovers-cyber-espionage-framework-ramsay\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/05\\\/13\\\/research-discovers-cyber-espionage-framework-ramsay\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/blog.eset.ee\\\/wp-content\\\/uploads\\\/2020\\\/05\\\/ramsay.jpg\",\"datePublished\":\"2020-05-13T09:00:00+00:00\",\"dateModified\":\"2020-05-13T18:56:57+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#\\\/schema\\\/person\\\/876cf293277fc0b2ae2f4395fffe4c88\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/05\\\/13\\\/research-discovers-cyber-espionage-framework-ramsay\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/05\\\/13\\\/research-discovers-cyber-espionage-framework-ramsay\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/05\\\/13\\\/research-discovers-cyber-espionage-framework-ramsay\\\/#primaryimage\",\"url\":\"https:\\\/\\\/blog.eset.ee\\\/wp-content\\\/uploads\\\/2020\\\/05\\\/ramsay.jpg\",\"contentUrl\":\"https:\\\/\\\/blog.eset.ee\\\/wp-content\\\/uploads\\\/2020\\\/05\\\/ramsay.jpg\",\"width\":1200,\"height\":628},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/05\\\/13\\\/research-discovers-cyber-espionage-framework-ramsay\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"ESET Research discovers cyber espionage framework Ramsay\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/\",\"name\":\"ESET Eesti Blogi\",\"description\":\"Uudised IT maailmast\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#\\\/schema\\\/person\\\/876cf293277fc0b2ae2f4395fffe4c88\",\"name\":\"ESET Blog\",\"sameAs\":[\"http:\\\/\\\/eset.ee\"],\"url\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/author\\\/allankinsigo\\\/\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2020\\\/05\\\/13\\\/research-discovers-cyber-espionage-framework-ramsay\\\/#local-main-organization-logo\",\"url\":\"\",\"contentUrl\":\"\",\"caption\":\"ESET EESTI\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"ESET Research discovers cyber espionage framework Ramsay - ESET Eesti Blogi","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.eset.ee\/et\/en\/2020\/05\/13\/research-discovers-cyber-espionage-framework-ramsay\/","og_locale":"en_US","og_type":"article","og_title":"ESET Research discovers cyber espionage framework Ramsay","og_description":"ESET researchers have discovered a previously unreported cyber espionage framework they dub Ramsay. The framework is tailored for collecting and exfiltrating sensitive documents from air-gapped systems that are not connected to the internet or other online systems. Since the number of victims so far is very low, ESET believes that this framework is under an","og_url":"https:\/\/blog.eset.ee\/et\/en\/2020\/05\/13\/research-discovers-cyber-espionage-framework-ramsay\/","og_site_name":"ESET Eesti Blogi","article_publisher":"http:\/\/www.facebook.com\/antiviirus","article_published_time":"2020-05-13T09:00:00+00:00","article_modified_time":"2020-05-13T18:56:57+00:00","og_image":[{"width":1200,"height":628,"url":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/05\/ramsay.jpg","type":"image\/jpeg"}],"author":"ESET Blog","twitter_card":"summary_large_image","twitter_misc":{"Written by":"ESET Blog","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.eset.ee\/et\/en\/2020\/05\/13\/research-discovers-cyber-espionage-framework-ramsay\/#article","isPartOf":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2020\/05\/13\/research-discovers-cyber-espionage-framework-ramsay\/"},"author":{"name":"ESET Blog","@id":"https:\/\/blog.eset.ee\/et\/en\/#\/schema\/person\/876cf293277fc0b2ae2f4395fffe4c88"},"headline":"ESET Research discovers cyber espionage framework Ramsay","datePublished":"2020-05-13T09:00:00+00:00","dateModified":"2020-05-13T18:56:57+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2020\/05\/13\/research-discovers-cyber-espionage-framework-ramsay\/"},"wordCount":365,"image":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2020\/05\/13\/research-discovers-cyber-espionage-framework-ramsay\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/05\/ramsay.jpg","articleSection":["malware"],"inLanguage":"en-US","copyrightYear":"2020","copyrightHolder":{"@id":"https:\/\/blog.eset.ee\/et\/#organization"}},{"@type":"WebPage","@id":"https:\/\/blog.eset.ee\/et\/en\/2020\/05\/13\/research-discovers-cyber-espionage-framework-ramsay\/","url":"https:\/\/blog.eset.ee\/et\/en\/2020\/05\/13\/research-discovers-cyber-espionage-framework-ramsay\/","name":"ESET Research discovers cyber espionage framework Ramsay - ESET Eesti Blogi","isPartOf":{"@id":"https:\/\/blog.eset.ee\/et\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2020\/05\/13\/research-discovers-cyber-espionage-framework-ramsay\/#primaryimage"},"image":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2020\/05\/13\/research-discovers-cyber-espionage-framework-ramsay\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/05\/ramsay.jpg","datePublished":"2020-05-13T09:00:00+00:00","dateModified":"2020-05-13T18:56:57+00:00","author":{"@id":"https:\/\/blog.eset.ee\/et\/en\/#\/schema\/person\/876cf293277fc0b2ae2f4395fffe4c88"},"breadcrumb":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2020\/05\/13\/research-discovers-cyber-espionage-framework-ramsay\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.eset.ee\/et\/en\/2020\/05\/13\/research-discovers-cyber-espionage-framework-ramsay\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.eset.ee\/et\/en\/2020\/05\/13\/research-discovers-cyber-espionage-framework-ramsay\/#primaryimage","url":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/05\/ramsay.jpg","contentUrl":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2020\/05\/ramsay.jpg","width":1200,"height":628},{"@type":"BreadcrumbList","@id":"https:\/\/blog.eset.ee\/et\/en\/2020\/05\/13\/research-discovers-cyber-espionage-framework-ramsay\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.eset.ee\/et\/en\/"},{"@type":"ListItem","position":2,"name":"ESET Research discovers cyber espionage framework Ramsay"}]},{"@type":"WebSite","@id":"https:\/\/blog.eset.ee\/et\/en\/#website","url":"https:\/\/blog.eset.ee\/et\/en\/","name":"ESET Eesti Blogi","description":"Uudised IT maailmast","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.eset.ee\/et\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.eset.ee\/et\/en\/#\/schema\/person\/876cf293277fc0b2ae2f4395fffe4c88","name":"ESET Blog","sameAs":["http:\/\/eset.ee"],"url":"https:\/\/blog.eset.ee\/et\/en\/author\/allankinsigo\/"},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.eset.ee\/et\/en\/2020\/05\/13\/research-discovers-cyber-espionage-framework-ramsay\/#local-main-organization-logo","url":"","contentUrl":"","caption":"ESET EESTI"}]}},"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/4818","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=4818"}],"version-history":[{"count":0,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/4818\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/4822"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=4818"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=4818"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=4818"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}