{
	"id": "c30afbb6-b1e2-4152-a7c9-8b6f6c1b0c06",
	"created_at": "2026-04-06T00:17:59.09033Z",
	"updated_at": "2026-04-10T03:29:57.896564Z",
	"deleted_at": null,
	"sha1_hash": "b81a3babef9e7f880c7f32e982fa5cc14174abfb",
	"title": "Why On-Device Detection Matters: New Ramsay Trojan Targets Air-Gapped Networks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3368558,
	"plain_text": "Why On-Device Detection Matters: New Ramsay Trojan Targets Air-Gapped Networks\r\nBy Jim Walter\r\nPublished: 2020-05-20 · Archived: 2026-04-05 17:39:20 UTC\r\nThe Ramsay “framework” emerged in late 2019 and was disclosed thanks to a discovery by researchers querying the\r\nVirusTotal public malware repository. As of April 2020, there appears to be two fully maintained branches of the toolkit.\r\nAlthough in-the-wild instances of the Ramsay malware appear to be low at present, this may be due to the malware’s highly-specialized objectives. The Ramsay samples discovered to date are heavily focused on both persistence and data exfiltration\r\nfrom air-gapped environments. This suggests the possibility that the malware was developed for advanced targeted\r\ncampaigns by a threat actor primarily interested in organizations trying to protect the most-sensitive of information. As is\r\noften the case with specialized malware, there is also a real danger of it “leaking” or being repurposed to targets that were\r\nnot in the original threat actors’ sights.\r\nRamsay Distribution and Persistence\r\nThe original version of Ramsay was distributed via maliciously-crafted Office documents. These documents were\r\ndistributed via email and were designed to exploit CVE-2017-0199 to facilitate the installation of the malware. CVE-2017-\r\n0199 is a remote code execution flaw in Microsoft Word. Specifically, it allows attackers to retrieve and launch code,\r\nincluding VBS \u0026 PowerShell, upon launching of a specially-crafted RTF document. Several versions of these malicious\r\nWord documents were discovered on VirusTotal with names such as “access_test.docx” and “Test.docx”, indicating that the\r\nthreat actors may have been evaluating how well their malware fared against vendors’ static engines.\r\nLater versions of Ramsay (v2.a/2.b) were distributed as trojanized installers for well-known applications such as 7zip. These\r\nlater versions also included an aggressive spreading mechanism that locates local and network adjacent PE files and infect\r\nthem to allow for further spreading in targeted environments.  \r\nVersion 2.b was also seen to be exploiting CVE-2017-11882. This vulnerability allows attackers to achieve arbitrary code\r\nexecution as the current user in a MS Office 2016 and several earlier Office Service Pack versions. Both CVE-2017-0199\r\nand CVE-20170-11882 are used for exploitation of client execution (MITRE T1203) purposes.\r\nhttps://www.sentinelone.com/blog/why-on-device-detection-matters-new-ramsay-trojan-targets-air-gapped-networks/\r\nPage 1 of 4\n\nAlong with the spreading capabilities, Ramsay includes multiple techniques for maintaining persistence. These include:\r\nAppInitDLL Registry Key Entries\r\nScheduled Tasks\r\nDLL Hijacking\r\nWhile early versions used well-known persistence techniques such as loading custom DLLs into other application processes’\r\naddress space and task scheduling, later versions leverage DLL Hijacking, specifically targeting msfte.dll and oci.dll\r\ndependencies of the Microsoft Search Service and the Microsoft Distributed Transaction Coordinator service, respectively.\r\nRamsay Observed Behavior\r\nRamsay’s main goal is data collection and exfiltration. Immediately upon infection, the trojan will begin to locate specific\r\ndocument types, particularly MS Word and PDF format files, and store them in a customized location. The items are also\r\narchived and encrypted via RC4, and subsequently compressed with an instance of WinRar installed by the trojan. It should\r\nbe noted that Ramsay will attempt to collect documents from both local and remote locations where possible. Ramsay also\r\nhas some built-in “intelligence” to avoid the collection of duplicate/redundant files.\r\nThe analysis is ongoing with respect to the data exfiltration mechanism. Current intelligence indicates that an additional\r\ncomponent will locate the collected “containers” of documents from infected hosts, identified by special file makers, When\r\nthe containers are located, AND a Ramsay control file is located on the affected network, data exfiltration can occur via this\r\nadditional component. Ramsay uses intra-network control files to operate, as opposed to a central command-and-control\r\ninfrastructure.\r\nSpreading is handled via an additional component, dropped by the main installer. This component will scan and locate\r\naccessible drives/locations (excluding A: and B: reserved devices).\r\nGiven some level of code reuse, there may be correlation between Ramsay and the Retro Backdoor associated with\r\nDarkhotel. As with the data exfiltration piece, analysis of this relationship is ongoing.\r\nDoes SentinelOne Protect Against Ramsay Malware?\r\nYes, it does. Organizations secured by the SentinelOne platform are fully protected against the threat from Ramsay malware,\r\nas demonstrated in this video.\r\nhttps://www.sentinelone.com/blog/why-on-device-detection-matters-new-ramsay-trojan-targets-air-gapped-networks/\r\nPage 2 of 4\n\nEven when the network is disconnected such as with an air-gapped device, the SentinelOne agent will detect the malware\r\nlocally on-device.\r\nConclusion\r\nThe Ramsay framework is a novel malware toolkit that appears to be under active development by a sophisticated threat\r\nactor. While current telemetry suggests this is a highly-targeted attack focused on specific environments, history suggests\r\nthat a malware toolkit of this nature could soon ‘spread its wings’ and represent a threat to a much wider audience.\r\nMoreover, the discovery of this new toolkit targetting air-gapped machines highlights the importance of having a behavioral,\r\nAI-driven security solution that can actively detect and respond to threats on the local device without solely relying on\r\ncloud-connectivity, human analysts or static reputation engines.\r\nhttps://www.sentinelone.com/blog/why-on-device-detection-matters-new-ramsay-trojan-targets-air-gapped-networks/\r\nPage 3 of 4\n\nIf you are not already protected by SentinelOne and would like to learn more about how our industry-leading platform can\r\nhelp defend your organization against Ramsay malware and all other threats, contact us or request a free demo today.\r\nSample Hashes for Ramsay Malware\r\nSHA1: f79da0d8bb1267f9906fad1111bd929a41b18c03\r\nSHA256: e60c79a783d44f065df7fd238949c7ee86bdb11c82ed929e72fc470e4c7dae97\r\nSHA1: 3849e01bff610d155a3153c897bb662f5527c04c\r\nSHA256: 22b2de8ec5162b23726e63ef9170d34f4f04190a16899d1e52f8782b27e62f24\r\nSHA1: bd97b31998e9d673661ea5697fe436efe026cba1\r\nSHA256: aceb4704e5ab471130e08f7a9493ae63d3963074e7586792e6125deb51e40976\r\nSHA1: e7987627200d542bb30d6f2386997f668b8a928c\r\nSHA256: 610f62dd352f88a77a9af56df7105e62e7f712fc315542fcac3678eb9bbcfcc6\r\nSHA1: ae722a90098d1c95829480e056ef8fd4a98eedd7\r\nSHA256: 823e21ffecc10c57a31f63d55d0b93d4b6db150a087a92b8d0e1cb5a38fb3a5f\r\nSHA1: 19bf019fc0bf44828378f008332430a080871274\r\nSHA256: 823e21ffecc10c57a31f63d55d0b93d4b6db150a087a92b8d0e1cb5a38fb3a5f\r\nSHA1: 5c482bb8623329d4764492ff78b4fbc673b2ef23\r\nSHA256: cc7ac31689a392a2396f4f67d3621e65378604b16a2420ffc0af1e4b969c6689\r\nSHA1: bd8d0143ec75ef4c369f341c2786facbd9f73256\r\nSHA256: dede24bf27fc34403c03661938f21d2a14bc50f11297d415f6e86f297c3c3504\r\nSHA1: 5a5738e2ec8af9f5400952be923e55a5780a8c55\r\nSHA256: 6f9cae7f18f0ee84e7b21995a597b834a7133277637b696ba5b8eea1d4ad7af1\r\nSource: https://www.sentinelone.com/blog/why-on-device-detection-matters-new-ramsay-trojan-targets-air-gapped-networks/\r\nhttps://www.sentinelone.com/blog/why-on-device-detection-matters-new-ramsay-trojan-targets-air-gapped-networks/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.sentinelone.com/blog/why-on-device-detection-matters-new-ramsay-trojan-targets-air-gapped-networks/"
	],
	"report_names": [
		"why-on-device-detection-matters-new-ramsay-trojan-targets-air-gapped-networks"
	],
	"threat_actors": [
		{
			"id": "1dadf04e-d725-426f-9f6c-08c5be7da159",
			"created_at": "2022-10-25T15:50:23.624538Z",
			"updated_at": "2026-04-10T02:00:05.286895Z",
			"deleted_at": null,
			"main_name": "Darkhotel",
			"aliases": [
				"Darkhotel",
				"DUBNIUM",
				"Zigzag Hail"
			],
			"source_name": "MITRE:Darkhotel",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b13c19d6-247d-47ba-86ba-15a94accc179",
			"created_at": "2024-05-01T02:03:08.149923Z",
			"updated_at": "2026-04-10T02:00:03.763147Z",
			"deleted_at": null,
			"main_name": "TUNGSTEN BRIDGE",
			"aliases": [
				"APT-C-06 ",
				"ATK52 ",
				"CTG-1948 ",
				"DUBNIUM ",
				"DarkHotel ",
				"Fallout Team ",
				"Shadow Crane ",
				"Zigzag Hail "
			],
			"source_name": "Secureworks:TUNGSTEN BRIDGE",
			"tools": [
				"Nemim",
				"Tapaoux"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "2b4eec94-7672-4bee-acb2-b857d0d26d12",
			"created_at": "2023-01-06T13:46:38.272109Z",
			"updated_at": "2026-04-10T02:00:02.906089Z",
			"deleted_at": null,
			"main_name": "DarkHotel",
			"aliases": [
				"T-APT-02",
				"Nemim",
				"Nemin",
				"Shadow Crane",
				"G0012",
				"DUBNIUM",
				"Karba",
				"APT-C-06",
				"SIG25",
				"TUNGSTEN BRIDGE",
				"Zigzag Hail",
				"Fallout Team",
				"Luder",
				"Tapaoux",
				"ATK52"
			],
			"source_name": "MISPGALAXY:DarkHotel",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c0cedde3-5a9b-430f-9b77-e6568307205e",
			"created_at": "2022-10-25T16:07:23.528994Z",
			"updated_at": "2026-04-10T02:00:04.642473Z",
			"deleted_at": null,
			"main_name": "DarkHotel",
			"aliases": [
				"APT-C-06",
				"ATK 52",
				"CTG-1948",
				"Dubnium",
				"Fallout Team",
				"G0012",
				"G0126",
				"Higaisa",
				"Luder",
				"Operation DarkHotel",
				"Operation Daybreak",
				"Operation Inexsmar",
				"Operation PowerFall",
				"Operation The Gh0st Remains the Same",
				"Purple Pygmy",
				"SIG25",
				"Shadow Crane",
				"T-APT-02",
				"TieOnJoe",
				"Tungsten Bridge",
				"Zigzag Hail"
			],
			"source_name": "ETDA:DarkHotel",
			"tools": [
				"Asruex",
				"DarkHotel",
				"DmaUp3.exe",
				"GreezeBackdoor",
				"Karba",
				"Nemain",
				"Nemim",
				"Ramsay",
				"Retro",
				"Tapaoux",
				"Trojan.Win32.Karba.e",
				"Virus.Win32.Pioneer.dx",
				"igfxext.exe",
				"msieckc.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434679,
	"ts_updated_at": 1775791797,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b81a3babef9e7f880c7f32e982fa5cc14174abfb.pdf",
		"text": "https://archive.orkl.eu/b81a3babef9e7f880c7f32e982fa5cc14174abfb.txt",
		"img": "https://archive.orkl.eu/b81a3babef9e7f880c7f32e982fa5cc14174abfb.jpg"
	}
}