Keep Ramnit on Your Radar

11 February 2021

Over a decade ago, security researchers at Microsoft identified a computer worm and dubbed it Ramnit. The malware family, “infects Windows executable files (.EXE) and HTML files (.HTML). It can also give a malicious hacker access to your PC. It spreads through infected removable drives, such as USB flash drives,” Microsoft warned. 

Fast forward to 2015 when an IBM security researcher, Limor Kessem, wrote about the takedown of different botnet groups, one of which was Ramnit. What’s important to highlight is that Kessem noted, “In cases where law enforcement intervened to take down the servers and future communication domain rendezvous of banking Trojan operations, gangs did not appear to recover.” Ramnit was different. In fact, less than a year after Ramnit was dismantled, Kessem saw the banking Trojan botnet re-emerge and it has continued to evolve since. 

Hard to Kill

Since its inception, Ramnit has consistently been reborn, with new variants that range in capabilities, which may in part be why Ramnit is somewhat of an underappreciated malware today. It is all too often dismissed as old or even dead. Yet, in its metamorphosis from Trojan to virus, worm and botnet over the past decade, some iterations have served as a backdoor, able to communicate with a command and control server (C2). 

Though some may have been inclined to believe that the game of whack-a-mole was won when joint law enforcement agencies took down the botnet in 2015, researchers noted new attack schemes in 2016, and by 2018 Ramnit was reportedly being used as a first-stage malware in a widespread Black botnet operation.

Prevailion’s data indicates Ramnit has had quite a bit of recent activity with a significant impact on many sectors. 

Last 60 days of Ramnit activity. (Source: Prevailion)

Where It’s Spreading

Not surprisingly, Ramnit operators have shown no mercy for the Education sector–a common target for attackers given that those networks have historically struggled with security. “This should be of particular concern to institutions involved in research and other related projects,” said Tim Stahl, Director of Threat Intelligence at Prevailion. “As we have seen in the past they are prime targets for APT groups and criminal organizations for their intellectual property, vast troves of PII, and network resources that can be infected and leveraged in other attacks.”

While the risk of attackers accessing intellectual property is a concern, several other sectors have shown up in Prevailion’s data that are more surprising and troubling because we expect that these sectors–Legislative and Government, Finance and Insurance, and Medical and Healthcare Insurance–have higher levels of monitoring and security controls in place. However, Prevailion has identified Ramnit as one of the most frequently observed malware with activity across the globe striking these and other sectors.

Top industries impacted by Ramnit. (Source: Prevailion)

An Ongoing Problem

Interestingly, some of the older Ramnit variants involved in the beaconing activity Prevailion monitors were distributed in a variety of ways, which could be contributing to reinfection rates over time. “Some campaigns involved infected USB drives, some were distributed via trojanized versions of cracked software,” Stahl said. “These types of delivery mechanisms tend to have a long tail to them, but given the high detection rates of these older variants across all modern AV products it is still a concern if new infections are taking hold and allowed to persist.”

As with today’s threat landscape, Ramnit is ever-changing, but it’s not dead and it’s not going away. In order to detect the malware in any of its attack schemes, organizations need to have real-time visibility into their environment. AV and threat detection are not enough to defend against today’s sophisticated threat actors who are well-versed in evading detection. 

The Latest

Diving Deep into UNC1151’s Infrastructure: Ghostwriter and beyond

Introduction: Prevailion’s Adversarial Counterintelligence Team (PACT) is using advanced infrastructure hunting techniques and Prevailion’s unparalleled visibility into threat actor infrastructure creation to uncover previously unknown domains associated with UNC1151 and the “Ghostwriter” influence campaign.  UNC1151 is likely a state-backed threat actor [1] waging an ongoing and far-reaching influence campaign that has targeted numerous countries across […]

Prevailion CEO, Karim Hijazi- Biden’s Cybersecurity Strategy

Prevailion CEO, Karim Hijazi, comments on lacking White House cybersecurity efforts Karim Hijazi lays out why Biden’s cybersecurity strategy lacks innovation and effectiveness to deal with modern adversaries already inside companies around the globe.    

Prevailion CEO, Karim Hijazi- Tmobile Hack

Prevailion CEO, Karim Hijazi, talks about the T-Mobile hack and cloned SIM cards Karim Hijazi says T-Mobile’s breach is the largest in carrier history and discusses SIM swapping and other forms of identity theft.    

Copyright 2021 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.