Guess who’s back? Virus.Ramnit is here (to stay?)

Virus.Ramnit first made its appearance back in 2010 in the form of a rather simplistic self-replicating worm. Since then, however, the miscreants behind it have created several new Ramnit variants, with each one considerably more dangerous than the previous one. In fact, Ramnit has not only evolved in terms of becoming more sophisticated, it’s also evolved in terms of its technique and scope.

A little Ramnit history lesson

The first Ramnit virus worked by infecting the .exe, .dll, and .html files on a device, stealing FTP credentials and browser cookies, and using the device it infected to spread itself to other devices. Later variants, however, also included the ability to turn infected devices into remote controlled bots that communicated with a command and control server so that the attacker would be able to perform additional malicious actions such as steal banking credentials, passwords and other sensitive data, and gain remote access to financial institutions and corporate networks. Furthermore, once a system had been infected with Ramnit, the attacker was able to use it to install more malware, which caused a whole mess of new problems.

A whole mess of new problems?

Yes, indeed; a whole mess of new problems. In addition to enabling other malware such as ransomware and Trojans to be stealthily downloaded onto a user’s device, Ramnit also enabled redirections of Internet searches, changes to browser homepage settings, and unwanted pop-ups.

The 2018 “Black” botnet campaign is just one example of the harm Ramnit is capable of causing. In that campaign, Ramnit infected approximately 100,000 systems in just two months. Then, once it infected a device, it would continue the attack by delivering a second malware called Ngioweb. Ngioweb was part of a massive new campaign that attackers were able to use for a number of egregious behaviors such as DDoS attacks, spreading crypto mining, ransomware and other malware. In addition, Ngioweb gave attackers both back-door access to infected systems as well as relay access, which made the malware’s chain of operation very hard to track. Compounding the threat was that, around that time, cyber criminals began working together to distribute financial malware, so Ramnit became one of the most active banking malwares of 2018. However, Ramnit doesn’t limit itself to just financial sites. It was also discovered trying to steal sensitive information from users who visited certain e-commerce sites: During one holiday season, 64% of Ramnit’s targets were e-commerce sites such as Amazon, BestBuy, Carters, Forever21, Gap, Zara and many others.

Clearly Ramnit poses a serious threat to the privacy and the integrity of any computer it infects. The fact that there are a number of covert ways that it can be spread such as through fake ‘tech support’ scams, spam email, and by exploiting software vulnerabilities, just makes it all the more dangerous. So now the question is ‘how can you protect yourself from Ramnit?’

Protecting yourself from Ramnit

One of the most important defensive measures you can take against Ramnit, and indeed all malware, is to become knowledgeable about cyber threats and the types of online behaviors that can make you vulnerable. For example, learning the best practices for email and social media such as not clicking on links or visiting websites that come from suspicious sources is vital to cybersecurity. So is learning how to recognize the social engineering tactics that cyber criminals use to trick their victims into clicking on malicious links or downloading malicious attachments.

In addition, firewalls, which are designed to prevent unauthorized access to and from networks, can also help prevent the types of malware, such as Ramnit, that attempt to communicate with a command and control center outside of the infected network.

Having a reputable antivirus solution installed that can perform Ramnit malware analysis to detect and eliminate Ramnit before it does any damage is another crucial component of cybersecurity. Your antivirus solution should run 24/7 in real time, and offer comprehensive protection such as browsing, anti-tracking and camera and microphone protection to prevent the backdoor entry of malware that use these types of attack vectors.

Last, but certainly not least, always make sure your software has the most recent security updates and patches so that Ramnit cannot exploit the software vulnerabilities that would otherwise leave your devices open to cyber attacks.

Keeping your distance from Ramnit

Although Ramnit has been a part of the threatscape for over 10 years, the danger it poses today to users, e-commerce sites, and banking organizations worldwide has in no way diminished. It has staged a comeback several times in those last 10 years and each time it came back more powerful and more destructive than its previous version. In order to keep distance between Ramnit and your computers, you need healthy doses of both caution and knowledge, and you need to implement the security measures mentioned above. Otherwise, Ramnit can catch you.