Europol’s European Cybercrime Centre (EC3) has announced a victory in the never-ending battle against cybercrime.
In an international operation coordinated with multiple law enforcement and industry partners, Europol led a takedown of the infrastructure of the Ramnit botnet that infected 3.2 million Windows computers.
Ramnit is a strain of malicious software called a bot that the cybercriminals used to spy on PCs and steal information such as banking and social media passwords.
A botnet is a collection of bots (also called zombies) controlled by cybercriminals, who can rent out their bot army to other crooks for nefarious purposes.
Botnets can load other nasty stuff onto bot-infected computers, such as ransomware like CryptoLocker and CryptoWall that scramble all your files with strong encryption and demand that you pay a ransom to get them back.
Botnets also plague computer users by spreading spam, and can be used to launch distributed denial-of-service attacks (DDoS) on websites.
Botnets rely on networks of servers to issue commands to their bots, but those servers can be anywhere in the world, and taking out a botnet usually requires coordination across national borders.
In the case of Ramnit, Europol said law enforcement took control of seven command-and-control servers, according to Reuters, along with 300 internet domains used by the botnet’s operators.
No arrests have been announced, but Paul Gillen, head of operations at Europol’s EC3, told Reuters that a British-led investigation is ongoing.
Finding the criminals behind Ramnit and bringing them to justice would be a real coup, because cybercriminals operating in the shadows can be very hard to track down and prosecute.
Recently, the US government announced a $3 million bounty for Evgeniy Mikhailovich Bogachev, the alleged mastermind behind the Gameover Zeus botnet.
Ramnit – from noisy virus to stealthy banking malware
According to SophosLabs, Ramnit first appeared as a file-infecting, or parasitic, virus that spread rapidly across networks, but it was changed significantly in an attempt to escape the notice of anti-virus software.
Ramnit was almost certainly adapted from a parasitic virus into a non-self-spreading zombie because the file infection parts turned out to be easy to detect.
James Wyke, a senior threat researcher at SophosLabs UK who specializes in botnets and banking malware like Vawtrak, points out that:
[The file infection code,] combined with the extremely noisy nature of infecting files, is probably why they decided to drop that component and make it into a more traditional information-stealing bot.
After its initial success, the prevalence of Ramnit dropped off.
But SophosLabs detected a new variant in late 2014, so the group behind Ramnit was still active – at least, until now.
Despite Europol’s success against Ramnit, the victory is incomplete – victims of Ramnit still have the malware on their PCs, so it’s possible the malware could be reactivated to do more damage.
You can check your computer to see if it’s infected with Ramnit, and quickly remove the malware, using the Sophos Free Virus Removal Tool.
Note. Sophos products block the malware described in this article as W32/Ramnit-*, Troj/Ramnit-* and Mal/Ramnit-* and W32/RamnitMem-*.
Learn more about botnets
Hear all about botnets from Sophos experts and Naked Security writers Paul Ducklin and James Wyke in our Techknow podcast entitled Understanding Botnets. They explain, in plain English, the what, why and how of bots, botnets and cybercrime.
(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)
Free Virus Removal Tool
This is a simple and straightforward tool for Windows users. It works alongside your existing anti-virus to find and get rid of any threats lurking on your computer.
It does its job without requiring you to uninstall your incumbent product first. (Removing your main anti-virus just when you are concerned about infection is risky in its own right.)
Download and run it, wait for it to grab the very latest updates from Sophos, and then let it scan through memory and your hard disk. If it finds any threats, you can click a button to clean them up.
Image of Europol HQ courtesy of Laubel Stock Photo / Shutterstock.com. Image of ram’s head also courtesy of Shutterstock.
2 comments on “Europol takedown of Ramnit botnet frees 3.2 million PCs from cybercriminals’ grasp”
While providing a free virus removal tool is really nice of you, I do have a couple of questions about it:
-We have to provide a full name and email address before being able to download it? (plus a lot of terms and conditions, which you know very well we won’t read before clicking on accept).
-The tool itself cannot be updated? Instead a new one has to be downloaded each time, which seems a bit redundant.
Pls don’t get me wrong, I’m not ungrateful, just confused.
Yes, we ask for a name and an email address, so that we can contact you later on. Yes, we would like to tell you about our products and services. Yes, we hope you subsequently become a customer. Yes, you can remove yourself from our mailing list at any time. Yes, it’s a quid pro quo in return for the free software.
I’m comfortable that we do that. I have downloaded the tool many times and I receive only occasional, unintrusive and IMO unannoying emails – I think it’s a fair trade. (For anyone who really doesn’t think it’s fair, just put in one of those throwaway email addresses instead of your regular one.)
Also, the tool can be updated – indeed, it updates itself automatically (in fact, it can’t *not* be updated 🙂 each time you start it up, including the first time.
To be honest, if I were King, I’d change the Virus Removal Tool so that the startup splash screen actually told you it was updating, and showed you how long the update still had to go. That would be handy for people like me who live an unwired life and aren’t always connected at 20Mbit/sec, because it would explain why the splash screen sometimes sits there for quite a while.
Having said that, once the splash screen clears and the product opens, assuming the update succeeded, it says:
The idea is to keep things really simple, and to reduce the number of options available, in the hope of producing the most reliable and consistent results, using the very latest threat detection identities.
Hope that removes some of the confusion.