Last week was full of stories about the newly discovered cyber espionage malware Ramsay, which some have touted is capable of stealing files from air-gapped networks.

Air-gapping is a security measure which physically isolates systems from other networks. There are no network interfaces that connect it, and transferring files in and out of air-gapped networks generally requires the use of external media, AKA sneakernet.  Air-gapping usually represents the highest level of security available to a network and is often used for highly classified and restricted environments (or for completely offline backups).

What Does Ramsay Really Do?

Once Ramsay infects a system, it performs three basic functions:

• Makes itself persistent on the infected system
• Scans the system, including network drives and removable media, for documents; stores a copy of documents found in a hidden container for later retrieval
• Spreads to other systems within the same network, using scanners to find vulnerable devices and by infecting files on network shares and removable media with copies of itself

Evidence suggests that Ramsay was built to attack air-gapped networks, but it cannot magically transport files across the gap, as some media outlets have reported.  No retrieval or exfiltrations system has been discovered, but would presumably need to be launched by an insider with physical access to systems on the network.  For a great write-up on the technical aspects of Ramsay, check out this post by Ignacio Sanmillan.

Hopping Across

There are ways to steal data from air-gapped networks.  Israeli researcher Mordechai Guri has demonstrated several creative techniques to bridge the gap, leveraging different mediums that range from acoustic vibrations to electromagnetic radiation in order to transmit data (these methods require some physical proximity, but that can come in the form of a nearby computer or cellphone).  One day audio-visual gaps and Faraday casing may become the norm, but for the time being air-gapping is still pretty safe.