Malware Designed to Target Air-Gapped Networks
Historically, forensic laboratories would more often than not use an air-gapped network to protect data and the integrity of their investigations. Although some of our customers are moving away from this model (in many cases to better leverage services such as Azure and AWS) a large proportion still rely on the ‘air-gap’ as their primary security defence.
Although a properly implemented air-gap can be effective, it would be a mistake to place over reliance on this and neglect basic security best practice such as patching, privilege management and effective tooling.
Researchers from cyber-security firm ESET recently discovered a never-before-seen malware framework named ‘Ramsey’ that is designed to specifically target data stored within air-gapped networks.
Ramsey is designed to spread via removable media, and on infection, collects .doc, .pdf and .zip files and stores them within an encrypted container ready for exfiltration[3]. ESET go on to say that the exact mechanism for exfiltration is currently unknown, however articles on the subject have reported cases where an exfiltration has been successful [1].
Perhaps what is most concerning is that ESET speculate that distribution may be occurring via spear phishing [2], presumably specifically targeting individuals with access to air-gapped networks.
The above reinforces the fact that an air-gap alone is not a guarantee of security. If you would like some further guidance on effective cyber security tooling for forensic and air-gapped networks, contact us at info@avatu.co.uk
You can read full details of what is known about this malware on the blog post here: https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/
[3] https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/