Skip to content

S0458 Ramsay

Ramsay is an information stealing malware framework designed to collect and exfiltrate sensitive documents, including from air-gapped systems. Researchers have identified overlaps between Ramsay and the Darkhotel-associated Retro malware.12

Item Value
ID S0458
Associated Names
Version 1.1
Created 27 May 2020
Last Modified 14 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Ramsay can use UACMe for privilege escalation.12
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Ramsay has used HTTP for C2.2
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility Ramsay can compress and archive collected files using WinRAR.12
enterprise T1560.003 Archive via Custom Method Ramsay can store collected documents in a custom container after encrypting and compressing them using RC4 and WinRAR.1
enterprise T1119 Automated Collection Ramsay can conduct an initial scan for Microsoft Word documents on the local system, removable media, and connected network drives, before tagging and collecting them. It can continue tagging documents to collect with follow up scans.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Ramsay has created Registry Run keys to establish persistence.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.005 Visual Basic Ramsay has included embedded Visual Basic scripts in malicious documents.12
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Ramsay has used base64 to encode its C2 traffic.2
enterprise T1005 Data from Local System Ramsay can collect Microsoft Word documents from the target’s file system, as well as .txt, .doc, and .xls files from the Internet Explorer cache.12
enterprise T1039 Data from Network Shared Drive Ramsay can collect data from network drives and stage it for exfiltration.1
enterprise T1025 Data from Removable Media Ramsay can collect data from removable media and stage it for exfiltration.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Ramsay can stage data prior to exfiltration in %APPDATA%\Microsoft\UserSetting and %APPDATA%\Microsoft\UserSetting\MediaCache.12
enterprise T1140 Deobfuscate/Decode Files or Information Ramsay can extract its agent from the body of a malicious document.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.010 AppInit DLLs Ramsay can insert itself into the address space of other applications using the AppInit DLL Registry key.1
enterprise T1203 Exploitation for Client Execution Ramsay has been embedded in documents exploiting CVE-2017-0199, CVE-2017-11882, and CVE-2017-8570.12
enterprise T1083 File and Directory Discovery Ramsay can collect directory and file lists.12
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking Ramsay can hijack outdated Windows application dependencies with malicious versions of its own DLL payload.1
enterprise T1559 Inter-Process Communication -
enterprise T1559.001 Component Object Model Ramsay can use the Windows COM API to schedule tasks and maintain persistence.1
enterprise T1559.002 Dynamic Data Exchange Ramsay has been delivered using OLE objects in malicious documents.1
enterprise T1036 Masquerading Ramsay has masqueraded as a JPG image file.1
enterprise T1036.005 Match Legitimate Name or Location Ramsay has masqueraded as a 7zip installer.12
enterprise T1106 Native API Ramsay can use Windows API functions such as WriteFile, CloseHandle, and GetCurrentHwProfile during its collection and file storage operations. Ramsay can execute its embedded components via CreateProcessA and ShellExecute.1
enterprise T1046 Network Service Discovery Ramsay can scan for systems that are vulnerable to the EternalBlue exploit.12
enterprise T1135 Network Share Discovery Ramsay can scan for network drives which may contain documents for collection.12
enterprise T1027 Obfuscated Files or Information Ramsay has base64-encoded its portable executable and hidden itself under a JPG header. Ramsay can also embed information within document footers.1
enterprise T1027.003 Steganography Ramsay has PE data embedded within JPEG files contained within Word documents.2
enterprise T1120 Peripheral Device Discovery Ramsay can scan for removable media which may contain documents for collection.12
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Ramsay has been distributed through spearphishing emails with malicious attachments.2
enterprise T1057 Process Discovery Ramsay can gather a list of running processes by using Tasklist.2
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Ramsay can use ImprovedReflectiveDLLInjection to deploy components.1
enterprise T1091 Replication Through Removable Media Ramsay can spread itself by infecting other portable executable files on removable drives.1
enterprise T1014 Rootkit Ramsay has included a rootkit to evade defenses.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Ramsay can schedule tasks via the Windows COM API to maintain persistence.1
enterprise T1113 Screen Capture Ramsay can take screenshots every 30 seconds as well as when an external removable storage device is connected.2
enterprise T1082 System Information Discovery Ramsay can detect system information–including disk names, total space, and remaining space–to create a hardware profile GUID which acts as a system identifier for operators.12
enterprise T1016 System Network Configuration Discovery Ramsay can use ipconfig and Arp to collect network configuration information, including routing information and ARP tables.2
enterprise T1049 System Network Connections Discovery Ramsay can use netstat to enumerate network connections.2
enterprise T1080 Taint Shared Content Ramsay can spread itself by infecting other portable executable files on networks shared drives.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Ramsay has been executed through malicious e-mail attachments.2