New malware can steal data from air-gapped systems
Researchers from cybersecurity company ESET have uncovered evidence of a new cyber espionage toolkit designed to steal data from air-gapped networks separated from the internet.
The new toolkit, dubbed Ramsay, is designed to collect all existing Microsoft Word documents within a target’s file system and prepare them from exfiltration, and it grants attackers the ability to remotely execute commands.
The toolkit includes a component that allows it to operate within air-gapped networks.
The Ramsay toolkit has gone through several iterations. This, coupled with the low number of victims, has led ESET to believe the framework is under an ongoing development process.
The developers in charge of infection vectors appear to be trying different approaches ranging from using old Microsoft Word vulnerabilities from 2017 to deploying trojanised applications for delivery by methods such as spear phishing.
ESET Research Leader Alexis Dorais-Joncas said the latest release of the malware employs advanced techniques related to evasion and persistence.
“We initially found an instance of Ramsay in a VirusTotal sample uploaded from Japan that led us to the discovery of further components and other versions of the framework along with substantial evidence to conclude that the framework is still in a developmental stage, with delivery vectors subject to fine testing,” he said.
“Especially noteworthy is how the architectural design of Ramsay, especially the relationship between its spreading and control capabilities, allows it to operate in air-gapped networks — meaning networks that are not connected to the internet.”
Tenable Vice President of Operational Technology Security Marty Edwards said the findings should serve as a wake-up call for enterprises working under the false belief that air-gapped systems are inherently secure.
“There’s a misconception that air-gapped systems are ‘bullet-proof’ given that they are isolated from online networks. In reality, systems that are disconnected from networks or air-gapped still have a large number of access vectors,” he said.
“Organisations need to consider access points such as removable media (sneakernet) or something more sophisticated like radiofrequency signals (Tempest) within the operational technology environment to worry about.”
BeyondTrust launches beta solution for taming AI agents
BeyondTrust's in-beta AI Agent Security is designed to prevent AI coworkers and autonomous...
DigiCert launches Quantum Central tool
DigiCert's recently launched Quantum Central solution can help security and IT teams prepare...
Guest accounts a major threat to IT environments: report
Kaseya's 2026 SaaS Security Report found that SMBs are leaving themselves exposed to attack...
