Europol takedown of Ramnit botnet frees 3.2 million PCs from cybercriminals’ grasp

Europol’s European Cybercrime Centre (EC3) has announced a victory in the never-ending battle against cybercrime.

In an international operation coordinated with multiple law enforcement and industry partners, Europol led a takedown of the infrastructure of the Ramnit botnet that infected 3.2 million Windows computers.

Ramnit is a strain of malicious software called a bot that the cybercriminals used to spy on PCs and steal information such as banking and social media passwords.

A botnet is a collection of bots (also called zombies) controlled by cybercriminals, who can rent out their bot army to other crooks for nefarious purposes.

Botnets can load other nasty stuff onto bot-infected computers, such as ransomware like CryptoLocker and CryptoWall that scramble all your files with strong encryption and demand that you pay a ransom to get them back.

Botnets also plague computer users by spreading spam, and can be used to launch distributed denial-of-service attacks (DDoS) on websites.

Botnets rely on networks of servers to issue commands to their bots, but those servers can be anywhere in the world, and taking out a botnet usually requires coordination across national borders.

In the case of Ramnit, Europol said law enforcement took control of seven command-and-control servers, according to Reuters, along with 300 internet domains used by the botnet’s operators.

No arrests have been announced, but Paul Gillen, head of operations at Europol’s EC3, told Reuters that a British-led investigation is ongoing.

Finding the criminals behind Ramnit and bringing them to justice would be a real coup, because cybercriminals operating in the shadows can be very hard to track down and prosecute.

Recently, the US government announced a $3 million bounty for Evgeniy Mikhailovich Bogachev, the alleged mastermind behind the Gameover Zeus botnet.

Ramnit – from noisy virus to stealthy banking malware

According to SophosLabs, Ramnit first appeared as a file-infecting, or parasitic, virus that spread rapidly across networks, but it was changed significantly in an attempt to escape the notice of anti-virus software.

Ramnit was almost certainly adapted from a parasitic virus into a non-self-spreading zombie because the file infection parts turned out to be easy to detect.

James Wyke, a senior threat researcher at SophosLabs UK who specializes in botnets and banking malware like Vawtrak, points out that:

[The file infection code,] combined with the extremely noisy nature of infecting files, is probably why they decided to drop that component and make it into a more traditional information-stealing bot.

After its initial success, the prevalence of Ramnit dropped off.

But SophosLabs detected a new variant in late 2014, so the group behind Ramnit was still active – at least, until now.

Despite Europol’s success against Ramnit, the victory is incomplete – victims of Ramnit still have the malware on their PCs, so it’s possible the malware could be reactivated to do more damage.

You can check your computer to see if it’s infected with Ramnit, and quickly remove the malware, using the Sophos Free Virus Removal Tool.

Note. Sophos products block the malware described in this article as W32/Ramnit-*, Troj/Ramnit-* and Mal/Ramnit-* and W32/RamnitMem-*.

Learn more about botnets

Hear all about botnets from Sophos experts and Naked Security writers Paul Ducklin and James Wyke in our Techknow podcast entitled Understanding Botnets. They explain, in plain English, the what, why and how of bots, botnets and cybercrime.

(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)

Image of Europol HQ courtesy of Laubel Stock Photo / Shutterstock.com. Image of ram’s head also courtesy of Shutterstock.