Security Experts:

Connect with us

Hi, what are you looking for?



Ramnit Botnet Brought Down in Joint Operation by Police, Security Researchers

Researchers at Microsoft, AnubisNetworks and Symantec joined forces with law enforcement to deliver a body blow to the Ramnit botnet.

Researchers at Microsoft, AnubisNetworks and Symantec joined forces with law enforcement to deliver a body blow to the Ramnit botnet.

The software companies assisted Europol’s European Cybercrime Centre (EC3) and the UK’s National Crime Agency (NCA) in the operation to shut down Ramnit’s command and control servers and redirect 300 Internet domain addresses used by the botnet’s operators. Ramnit has been active since 2010 and is estimated to have infected more than 3.2 million computers during that time.

Microsoft said it has detected approximately 500,000 instances of computers infected with Ramnit during the past six months. According to Symantec, the botnet is currently about 350,000-computers strong.

“Ramnit (W32.Ramnit) began life as worm, first appearing in 2010 and spreading quickly due to aggressive self-propagation tactics,” according to Symantec. “Once it compromised a computer it sought out all EXE, DLL, HTM, and HTML files on the local hard disk and any removable drives and attempted to infect them with copies of itself.”

“Over time the malware has evolved as its controllers appeared to shift their focus from building the botnet to exploiting it,” Symantec continued. “The most recent version of Ramnit (W32.Ramnit.B) has abandoned the file infection routine in favor of a range of alternative infection methods. Its cybercrime capabilities were beefed up considerably with a number of different modules that are borrowed from the Zeus Trojan (Trojan.Zbot), whose source code was leaked in May 2011. This development transformed the Ramnit botnet into a vast cybercrime empire, spanning up to 350,000 compromised computers at present, harvesting banking credentials, passwords, cookies, and personal files from victims.”

Ramnit’s victims span the globe, but the largest portion is located in India (27 percent) and Indonesia (18 percent). The United States accounted for six percent of the victims, Symantec noted.

“While early versions of Ramnit relied on file infection routines to spread, the attackers today exhibit a high degree of resourcefulness, using a number of different tactics to compromise victims,” according to Symantec. “One of its main recent methods has been exploit kits hosted on compromised websites and social media pages. In addition to this, public FTP servers have also been found to be distributing the malware. Another possible route of compromise has been through potentially unwanted applications, which are inadvertently installed as part of software bundles from less reputable sources.”

Europol Deputy Director Operations Wil van Gemert said the operation shows the importance of international cooperation between law enforcement agencies and private industry companies.

“We will continue our efforts in taking down botnets and disrupting the core infrastructures used by criminals to conduct a variety of cybercrimes,” he said in a statement. “Together with the EU Member States and partners around the globe, our aim is to protect people around the world against these criminal activities.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...