Ramsay

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
Ramsay is a sophisticated malware that was discovered by researchers at ESET in 2020. This malicious software is designed to infiltrate and exploit air-gapped networks, which are typically isolated from other networks for security reasons. Once it has infected a system, Ramsay can collect and exfiltrate sensitive documents, even operating within these secure, disconnected environments. The collected files are then compressed using a WinRAR instance that the Ramsay Installer drops. The impact of Ramsay became evident when Ramsay Health Care, Australia's largest private hospital owner, experienced significant disruption to its phone services across its 70 hospitals and clinics. The company confirmed via Facebook that the outage was due to a national issue with Optus telecommunications. During this period, they advised patients and staff to contact their local Ramsay hospital through the contact form on each hospital's website. The outage also affected other health institutions like Northern Health district in Melbourne, which reported that all phone lines into its hospital campuses had been impacted. The discovery of Ramsay underscores the growing threat posed by cyber-espionage activities, particularly those targeting critical infrastructure such as healthcare. Despite the sophistication of air-gapped networks, Ramsay demonstrates that these systems are not immune to infiltration. As such, organizations must continue to invest in robust cybersecurity measures, including regular system updates, employee education, and advanced threat detection tools, to protect against such sophisticated attacks.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Espionage
Malware
Exploit
Backdoor
Tiktok
Windows
T1113
T1035
T1092
Education
Payload
Decoy
Encryption
T1106
T1055
WinRAR
Facebook
Australia
University
Lateral Move...
T1204
T1103
T1053
T1088
T1038
T1107
T1045
T1083
T1210
T1091
T1039
T1025
T1005
T1094
T1129
T1203
T1050
T1135
T1057
T1105
T1119
T1002
exploitation
Trojan
Rootkit
Vulnerability
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CarberpUnspecified
1
Carberp is a notable malware that has been widely used and modified by various threat actors. Its source code, which was leaked in 2013, has become the basis for a multitude of other malicious software due to its sophisticated design and capabilities. The malware can infiltrate systems through dubio
SparkUnspecified
1
Spark is a type of malware, a harmful program designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage f
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DarkhotelUnspecified
1
DarkHotel, also known as DUBNIUM, is a cyber threat actor that has been active since at least 2018. This group has been observed primarily targeting Japanese organizations and has recently been linked to a campaign utilizing unique Tactics, Techniques, and Procedures (TTPs). The campaign involved a
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
EternalblueUnspecified
1
EternalBlue is a significant software vulnerability that exists in the design or implementation of certain systems. This flaw has been exploited by various cyber threats, with one notable instance being its use as an enabler for the widespread WannaCry ransomware attack. The exploit allows attackers
CVE-2017-0199Unspecified
1
CVE-2017-0199 is a notable software vulnerability, specifically a flaw in the design or implementation of Microsoft Office's Object Linking and Embedding (OLE) feature. This vulnerability has been exploited over the years to spread various notorious malware families. In 2017, it was used to dissemin
CVE-2017-0143Unspecified
1
None
CVE-2017-1188Unspecified
1
None
Source Document References
Information about the Ramsay Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
8 months ago
Optus outage causes chaos in Australia before services restored
CERT-EU
8 months ago
Telecom outage cuts off millions of Australians
CERT-EU
8 months ago
Optus CEO apologises for Australia-wide outage as services gradually come back online
CERT-EU
8 months ago
Optus needs to ‘step up’, minister says as outage affects millions
CERT-EU
10 months ago
Australia is the 5th most hacked country in the world, cautions cybersecurity expert | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
BankInfoSecurity
a year ago
Malware Campaign Targets Eastern European Air-Gapped Systems
CERT-EU
a year ago
26 best thrillers on Prime Video to wreck your nerves
CERT-EU
a year ago
Gordon Ramsay's Viral Hack That Makes Cutting An Avocado A Breeze | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
MITRE
a year ago
Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks | WeLiveSecurity
MITRE
a year ago
Analysis of Ramsay components of Darkhotel's infiltration and isolation network - Programmer Sought
CERT-EU
a year ago
UK government bans TikTok | Professional Security
CERT-EU
a year ago
Languages out, cybersecurity in: The degrees universities have axed