Ramsay Trojan

Ramsay is a highly sophisticated information-stealing trojan and associated espionage framework capable of operating on air-gapped systems. First observed in September 2019, it is believed to have been created by or for the Darkhotel advanced persistent threat group.

Threat ID:: CC-3452
Category:: Trojan
Threat Severity:: Medium
Threat Vector:: Exploit
Published:: 14 May 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

Since first being observed, Ramsay has gone through two major iterations, with both introducing new delivery mechanisms. Ramsay v1 is distributed via malicious documents containing an initial VBS script, a CVE-2917-0199 exploit, and a PE file disguised as a JPEG image. Versions 2.a and 2.b both exploit CVE-2017-11882, with 2.a being delivered disguised as legitimate file utilities, whilst 2.b is again delivered by malicious documents.

Once installed, Ramsay will edit several registry keys, create multiple scheduled tasks, and inject itself into a running process in an attempt to maintain persistence. Later variants will also use MSDTC and phantom EternalBlue vulnerable systems, with any scan results included in the collection directory.

For further information:

Remediation steps

Type	Step
	Updates are available to fully address both CVE-2017-0199 and CVE-2017-11882. Organisations are encouraged to apply these updates immediately if they have not already done so. Additionally, to prevent and detect a trojan infection, NHS Digital advises that: Secure configurations are applied to all devices. Security updates are applied at the earliest opportunity. Tamper protection settings in security products are enabled where available. Obsolete platforms are segregated from the rest of the network. IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments. Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts. Administrative accounts are only used for necessary purposes. Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations. Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible. Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Type

Step

Updates are available to fully address both CVE-2017-0199 and CVE-2017-11882. Organisations are encouraged to apply these updates immediately if they have not already done so.

Additionally, to prevent and detect a trojan infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Main indicators

SHA1 File Hashes

19bf019fc0bf44828378f008332430a080871274
3849e01bff610d155a3153c897bb662f5527c04c
3bb205698e89955b4bd07a8a7de3fc75f1cb5cde
50eb291fc37fe05f9e55140b98b68d77bd61149e
5a5738e2ec8af9f5400952be923e55a5780a8c55
5c482bb8623329d4764492ff78b4fbc673b2ef23
62d2cc1f6eedba2f35a55beb96cd59a0a6c66880
7d85b163d19942bb8d047793ff78ea728da19870
87ef7bf00fe6aa928c111c472e2472d2cb047eae
ae722a90098d1c95829480e056ef8fd4a98eedd7
baa20ce99089fc35179802a0cc1149f929bdf0fa
bd8d0143ec75ef4c369f341c2786facbd9f73256
bd97b31998e9d673661ea5697fe436efe026cba1
e7987627200d542bb30d6f2386997f668b8a928c
eb69b45faf3be0135f44293bc95f06dad73bc562
f74d86b6e9bd105ab65f2af10d60c4074b8044c9
f79da0d8bb1267f9906fad1111bd929a41b18c03

CVE Vulnerabilities

Status

CVE-2917-0199

Status

CVE-2017-11882

Status

CVE-2017-0143

Last edited: 29 June 2021 12:01 pm