S0458: Ramsay

Ramsay matters because MITRE describes it as a Windows information-stealing framework designed to collect and exfiltrate sensitive documents, including from air-gapped systems. For leaders, the key issue is not only malware removal; it is whether controls around document repositories, removable media, network shares, and isolated environments can prove that sensitive data was not silently collected, staged, or moved.

Executive priority

Prioritize Ramsay as a resilience and data-protection scenario for high-value Windows environments, especially where removable media, shared drives, or air-gapped workflows are used to protect sensitive operations. Executives should ask whether the organization can evidence control over USB use, file-share access, scheduled task abuse, stealthy execution, local data staging, and outbound web traffic. This is also relevant to audit readiness because the material question after a suspected event will be: what documents were accessible, copied, staged, or potentially transferred?

Technical view

SOC and IR teams should validate coverage across the behaviors linked to Ramsay: local, removable-media, and network-share data collection; file and directory discovery; process, network configuration, network connection, service, and peripheral discovery; local data staging; scheduled task persistence or execution; Visual Basic and Native API execution; DLL injection; masquerading; obfuscation, steganography, and rootkit-style stealth; removable-media replication; tainted shared content; screen capture; and web-protocol command-and-control. Because MITRE provides no official detection text for Ramsay, detection engineering should be behavior-led rather than signature-led, with special attention to Windows hosts that bridge isolated networks and removable media workflows.

Likely telemetry

Windows endpoint process creation and command-line telemetry, including scripting and Visual Basic-related execution where available
File creation, modification, rename, copy, and delete events on local disks, removable media, and network shared drives
Removable media insertion, mount, file access, and policy enforcement logs
Windows Scheduled Task creation, modification, and execution evidence
Endpoint telemetry for DLL loading, process injection indicators, native API-heavy execution, and suspicious child-process patterns

Detection direction

Build detections around behavior chains: discovery followed by broad document access, local staging, removable-media interaction, or web-protocol communication is more meaningful than any single event.
Tune monitoring for sensitive document locations and shared drives, focusing on unusual enumeration, bulk access, copying, or staging from Windows endpoints and accounts that do not normally perform those actions.
Validate controls and alerts for removable media use, especially on systems that connect to isolated or air-gapped environments; absence of telemetry here is a major blind spot for this malware family description.
Review scheduled task creation and modification for unusual names, paths, or execution of scripts/binaries from user-writable, removable, or shared locations.
Correlate masquerading and obfuscation signals with execution context: legitimate-looking names in unusual paths, unexpected DLL loads, and suspicious script execution can reduce false positives compared with simple filename matching.

Mitigation priorities

Identify Windows systems that handle sensitive documents, removable media, network shares, or air-gapped transfer workflows and treat them as priority control points.
Restrict and monitor removable media use; disable autorun-style behavior where applicable and require approved transfer procedures for isolated environments.
Apply least-privilege access to document repositories and network shares, with auditing sufficient to reconstruct file access and copying during an investigation.
Harden execution paths with application control, script controls, and scheduled task governance to reduce abuse of Visual Basic, native execution, DLL injection, and persistence mechanisms.
Improve endpoint hardening and monitoring for stealth techniques such as masquerading, obfuscated files, suspicious DLL activity, and rootkit-like attempts to hide artifacts.

Analyst notes and limits

MITRE lists Ramsay as malware S0458 in enterprise ATT&CK, platform Windows, with an official description focused on information stealing and sensitive document collection/exfiltration, including from air-gapped systems. MITRE also notes researcher-identified overlaps with Darkhotel-associated Retro malware; this should be treated as research context, not as a claim of current attribution or active exploitation. The relationship set is rich and should drive defensive validation across collection, discovery, execution, persistence, lateral movement, command-and-control, and stealth behaviors.

The supplied ATT&CK object does not provide official detection guidance, aliases, labels, or object-level tactics. Several related techniques list broader platforms, but the Ramsay object itself is supplied as Windows, so local validation should focus on Windows unless separate evidence expands scope. Any assessment of exposure, compromise, or detection coverage requires environment-specific telemetry, asset context, and investigation evidence.

Official MITRE ATT&CK definition

Ramsay

Ramsay is an information stealing malware framework designed to collect and exfiltrate sensitive documents, including from air-gapped systems. Researchers have identified overlaps between Ramsay and the Darkhotel-associated Retro malware.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 39 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1135	Network Share Discovery	Ramsay can scan for network drives which may contain documents for collection.[1][2]
Enterprise	T1559.002	Dynamic Data Exchange Sub-technique	Ramsay has been delivered using OLE objects in malicious documents.[1]
Enterprise	T1113	Screen Capture	Ramsay can take screenshots every 30 seconds as well as when an external removable storage device is connected.[2]
Enterprise	T1016	System Network Configuration Discovery	Ramsay can use ipconfig and Arp to collect network configuration information, including routing information and ARP tables.[2]
Enterprise	T1106	Native API	Ramsay can use Windows API functions such as `WriteFile`, `CloseHandle`, and `GetCurrentHwProfile` during its collection and file storage operations. Ramsay can execute its embedded components via `CreateProcessA` and `ShellExecute`.[1]
Enterprise	T1014	Rootkit	Ramsay has included a rootkit to evade defenses.[1]
Enterprise	T1046	Network Service Discovery	Ramsay can scan for systems that are vulnerable to the EternalBlue exploit.[1][2]
Enterprise	T1071.001	Web Protocols Sub-technique	Ramsay has used HTTP for C2.[2]
Enterprise	T1080	Taint Shared Content	Ramsay can spread itself by infecting other portable executable files on networks shared drives.[1]
Enterprise	T1566.001	Spearphishing Attachment Sub-technique	Ramsay has been distributed through spearphishing emails with malicious attachments.[2]
Enterprise	T1005	Data from Local System	Ramsay can collect Microsoft Word documents from the target's file system, as well as `.txt`, `.doc`, and `.xls` files from the Internet Explorer cache.[1][2]
Enterprise	T1053.005	Scheduled Task Sub-technique	Ramsay can schedule tasks via the Windows COM API to maintain persistence.[1]
Enterprise	T1074.001	Local Data Staging Sub-technique	Ramsay can stage data prior to exfiltration in `%APPDATA%\Microsoft\UserSetting` and `%APPDATA%\Microsoft\UserSetting\MediaCache`.[1][2]
Enterprise	T1120	Peripheral Device Discovery	Ramsay can scan for removable media which may contain documents for collection.[1][2]
Enterprise	T1574.001	DLL Sub-technique	Ramsay can hijack outdated Windows application dependencies with malicious versions of its own DLL payload.[1]
Enterprise	T1039	Data from Network Shared Drive	Ramsay can collect data from network drives and stage it for exfiltration.[1]
Enterprise	T1560.003	Archive via Custom Method Sub-technique	Ramsay can store collected documents in a custom container after encrypting and compressing them using RC4 and WinRAR.[1]
Enterprise	T1560.001	Archive via Utility Sub-technique	Ramsay can compress and archive collected files using WinRAR.[1][2]
Enterprise	T1203	Exploitation for Client Execution	Ramsay has been embedded in documents exploiting CVE-2017-0199, CVE-2017-11882, and CVE-2017-8570.[1][2]
Enterprise	T1680	Local Storage Discovery	Ramsay can detect system information--including disk names, total space, and remaining space--to create a hardware profile GUID which acts as a system identifier for operators.[1][2]
Enterprise	T1027.003	Steganography Sub-technique	Ramsay has PE data embedded within JPEG files contained within Word documents.[2]
Enterprise	T1036.005	Match Legitimate Resource Name or Location Sub-technique	Ramsay has masqueraded as a 7zip installer.[1][2]
Enterprise	T1057	Process Discovery	Ramsay can gather a list of running processes by using Tasklist.[2]
Enterprise	T1547.001	Registry Run Keys / Startup Folder Sub-technique	Ramsay has created Registry Run keys to establish persistence.[2]
Enterprise	T1548.002	Bypass User Account Control Sub-technique	Ramsay can use UACMe for privilege escalation.[1][2]
Enterprise	T1036	Masquerading	Ramsay has masqueraded as a JPG image file.[1]
Enterprise	T1119	Automated Collection	Ramsay can conduct an initial scan for Microsoft Word documents on the local system, removable media, and connected network drives, before tagging and collecting them. It can continue tagging documents to collect with follow up scans.[1]
Enterprise	T1091	Replication Through Removable Media	Ramsay can spread itself by infecting other portable executable files on removable drives.[1]
Enterprise	T1083	File and Directory Discovery	Ramsay can collect directory and file lists.[1][2]
Enterprise	T1055.001	Dynamic-link Library Injection Sub-technique	Ramsay can use `ImprovedReflectiveDLLInjection` to deploy components.[1]
Enterprise	T1204.002	Malicious File Sub-technique	Ramsay has been executed through malicious e-mail attachments.[2]
Enterprise	T1059.005	Visual Basic Sub-technique	Ramsay has included embedded Visual Basic scripts in malicious documents.[1][2]
Enterprise	T1027	Obfuscated Files or Information	Ramsay has base64-encoded its portable executable and hidden itself under a JPG header. Ramsay can also embed information within document footers.[1]
Enterprise	T1049	System Network Connections Discovery	Ramsay can use `netstat` to enumerate network connections.[2]
Enterprise	T1140	Deobfuscate/Decode Files or Information	Ramsay can extract its agent from the body of a malicious document.[1]
Enterprise	T1132.001	Standard Encoding Sub-technique	Ramsay has used base64 to encode its C2 traffic.[2]
Enterprise	T1559.001	Component Object Model Sub-technique	Ramsay can use the Windows COM API to schedule tasks and maintain persistence.[1]
Enterprise	T1025	Data from Removable Media	Ramsay can collect data from removable media and stage it for exfiltration.[1]
Enterprise	T1546.010	AppInit DLLs Sub-technique	Ramsay can insert itself into the address space of other applications using the AppInit DLL Registry key.[1]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: May 27, 2020, 16:58 UTC (UTC+00:00)
Modified: Apr 25, 2025, 14:44 UTC (UTC+00:00)
Raw hash: 3c913892d2b7c0ea...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	Jun 3, 2026, 07:54 UTC (UTC+00:00)	1.1	Apr 25, 2025, 14:44 UTC (UTC+00:00)	Current bundle	`3c913892d2b7…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Eset Ramsay May 2020

Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
Open source URL
[2]
Antiy CERT Ramsay April 2020

Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
Open source URL
[3]
Ramsay

(Citation: Eset Ramsay May 2020)
[4]
mitre-attack S0458
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams