Keep Ramnit on Your Radar

Over a decade ago, security researchers at Microsoft identified a computer worm and dubbed it Ramnit. The malware family, “infects Windows executable files (.EXE) and HTML files (.HTML). It can also give a malicious hacker access to your PC. It spreads through infected removable drives, such as USB flash drives,” Microsoft warned. 

Fast forward to 2015 when an IBM security researcher, Limor Kessem, wrote about the takedown of different botnet groups, one of which was Ramnit. What’s important to highlight is that Kessem noted, “In cases where law enforcement intervened to take down the servers and future communication domain rendezvous of banking Trojan operations, gangs did not appear to recover.” Ramnit was different. In fact, less than a year after Ramnit was dismantled, Kessem saw the banking Trojan botnet re-emerge and it has continued to evolve since. 

Hard to Kill

Since its inception, Ramnit has consistently been reborn, with new variants that range in capabilities, which may in part be why Ramnit is somewhat of an underappreciated malware today. It is all too often dismissed as old or even dead. Yet, in its metamorphosis from Trojan to virus, worm and botnet over the past decade, some iterations have served as a backdoor, able to communicate with a command and control server (C2). 

Though some may have been inclined to believe that the game of whack-a-mole was won when joint law enforcement agencies took down the botnet in 2015, researchers noted new attack schemes in 2016, and by 2018 Ramnit was reportedly being used as a first-stage malware in a widespread Black botnet operation.

Prevailion’s data indicates Ramnit has had quite a bit of recent activity with a significant impact on many sectors. 

Where It’s Spreading

Not surprisingly, Ramnit operators have shown no mercy for the Education sector–a common target for attackers given that those networks have historically struggled with security. “This should be of particular concern to institutions involved in research and other related projects,” said Tim Stahl, Director of Threat Intelligence at Prevailion. “As we have seen in the past they are prime targets for APT groups and criminal organizations for their intellectual property, vast troves of PII, and network resources that can be infected and leveraged in other attacks.”

While the risk of attackers accessing intellectual property is a concern, several other sectors have shown up in Prevailion’s data that are more surprising and troubling because we expect that these sectors–Legislative and Government, Finance and Insurance, and Medical and Healthcare Insurance–have higher levels of monitoring and security controls in place. However, Prevailion has identified Ramnit as one of the most frequently observed malware with activity across the globe striking these and other sectors.

An Ongoing Problem

Interestingly, some of the older Ramnit variants involved in the beaconing activity Prevailion monitors were distributed in a variety of ways, which could be contributing to reinfection rates over time. “Some campaigns involved infected USB drives, some were distributed via trojanized versions of cracked software,” Stahl said. “These types of delivery mechanisms tend to have a long tail to them, but given the high detection rates of these older variants across all modern AV products it is still a concern if new infections are taking hold and allowed to persist.”

As with today’s threat landscape, Ramnit is ever-changing, but it’s not dead and it’s not going away. In order to detect the malware in any of its attack schemes, organizations need to have real-time visibility into their environment. AV and threat detection are not enough to defend against today’s sophisticated threat actors who are well-versed in evading detection.