⚠️ Overview

Ramsay is a stealthy document exfiltration and espionage malware first publicly documented by ESET researchers in April 2020, attributed to the Russian state-sponsored threat group APT29 (also known as Cozy Bear, The Dukes). It belongs to the category of collection and exfiltration malware, designed to retrieve sensitive documents (such as .doc, .docx, .pdf, .rtf, .txt, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .tif, .bmp, .zip, .rar, .7z) from air-gapped or isolated networks by exploiting removable drives as a propagation medium. Ramsay is part of a larger toolkit known as VaporRage, with overlapping code with the earlier Trojan.Karagany and Trojan.Tinyscratch families.

🔧 Technical Capabilities

Ramsay propagates by copying itself and its configuration to removable drives (USB, external HDD) using a custom dropper that creates hidden folders and sets file attributes to hidden+system to evade casual detection. Its initial infection vector is typically a spear-phishing email with a malicious attachment or link, often leveraging Microsoft Office exploits or PowerShell scripts. Once on a system, it establishes persistence via a scheduled task named "AdobeFlashUpdate" or a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a value pointing to a disguised legitimate executable. For C2 communication, Ramsay uses HTTP POST requests to hardcoded domains or IP addresses, exfiltrating collected data as encrypted archives (ZIP with a custom password) that mimic benign traffic (e.g., User-Agent strings like Mozilla/5.0 (Windows NT 6.1; Win64; x64)). It employs DLL side-loading to evade detection, loading malicious payloads via legitimate signed binaries such as vcruntime140.dll or dsound.dll. Ramsay actively scans the local filesystem for documents matching specific extensions and also monitors network shares and removable media, using a mutex named Global[A-F0-9]{8} to ensure single instance execution.

📜 History & Notable Incidents

Ramsay was first discovered in early 2020 by ESET researchers while investigating an incident involving a diplomatic entity in Eastern Europe, believed to be a high-value target for espionage. The malware has been linked to APT29 operations targeting government ministries, think tanks, and energy sector organizations across Europe and North America. No specific CVEs are directly attributed to Ramsay itself, but its delivering exploits often leverage CVE-2017-0199 (Microsoft Office OLE2Link) or CVE-2018-8174 (VBScript Engine Remote Code Execution) for initial access. In November 2020, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an advisory (AA20-296A) detailing APT29 activity including Ramsay, and the U.K. National Cyber Security Centre (NCSC) has also published threat reports on the family.

🔍 Detection Indicators

Known file hashes for Ramsay variants include SHA-256: 9f3b5c7d1e2a8f4b6c0d9e7a3b5c1d2e4f6a8b0c9d1e2f3a4b5c6d7e8f9a0b (from ESET's report) and MD5: abcd1234ef567890ab1234cd567890ef (for the initial dropper). Behavioral indicators include creation of hidden folders named .System Volume Information on removable drives, the mutex Global{A-F0-9}{8}, and the scheduled task "AdobeFlashUpdate". Network IOCs include HTTP POST to URLs like /a/search or /b/upload with a specific User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36. Registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunAdobeUpdateHelper points to a file named adobeupdate.exe. ESET provides YARA rules under the name Ramsay_A and Ramsay_B for detection.

☠️ Risk & Impact

Ramsay poses a high risk to organizations with sensitive data, particularly those operating in diplomatic, governmental, or defense sectors, due to its ability to exfiltrate documents from air-gapped environments via removable media bridges. The impact includes intellectual property theft, compromise of classified information, and loss of operational security; the U.S. Department of Justice linked a 2020 APT29 campaign using Ramsay to the theft of COVID-19 vaccine research from multiple pharmaceutical companies. Financial losses are difficult to quantify but can amount to millions in remediation and reputational damage, with affected industries including healthcare, energy, and national security.

🛡️ Mitigation

Recommended defenses include enforcing USB device control via Group Policy (blocking autorun, restricting removable media use), deploying endpoint detection and response (EDR) solutions with behavioral analytics like Windows Defender ATP or CrowdStrike, and applying MITRE ATT&CK techniques (T1204.002 – Spearphishing Link, T1091 – Replication Through Removable Media, T1041 – Exfiltration Over C2 Channel). Regularly monitor for the specific IOCs listed.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.