[1] Ramsay is specifically tailored for Windows systems on networks that are not connected to the internet and that also isolated from intranets of companies, so called air-gapped networks, from which it steals sensitive documents like Word documents after first collecting them in a hidden storage folder.
[1] The discovery of Ramsay was seen as significant as malware is rarely able to target physically isolated devices.
[4] While authorship has not been attributed, it has many common artefacts with Retro, a backdoor by hacking entity Darkhotel believed to operate in the interests of South Korea.
Ramsay version 1 and 2.b exploit CVE-2017-0199, a "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API.
[2] The way in which Ramsay can spread is via removable media like USB sticks and network shares.