Ramnit botnet dismantled as UK warned over computer attack
Law enforcement agencies from across Europe have dismantled a major portion of the infrastructure of the Ramnit botnet which controlled a network of over 3.2 million computers which had been infected with malware that has been stealing banking and personal information from victims since 2010.
The Ramnit botnet has been in operation for the last five years and in that time has stolen the personal and financial details from millions of victims around the globe with most infections recorded in India, Indonesia, Vietnam, Bangladesh, the US, and the Philippines.
The UK's National Cyber Crime Unit (NCCU), in cooperation with law enforcement agencies from the Netherlands, Italy and Germany, as well as Europol's European Cybercrime Centre (EC3) and security experts from Microsoft and Symantec took part in the operation which took down a network of servers and 300 malicious websites that were helping spread the malware.
The criminal gang behind the Ramnit botnet has been in operation for at least five years according to Symantec, and in that time has evolved into "a major criminal enterprise".
More than 3.2 million Windows PCs around the globe have been infected and while the number of people affected in the UK (33,000) is relatively small, the gang was using a server which was housed in Gosport, Hampshire.
Steve Pye from the NCA's National Cyber Crime Unit said:
Through this operation, we are disrupting a cyber crime threat which has left thousands of ordinary computer users in the UK at risk of having their privacy and personal information compromised. This malware effectively gives criminals a back door so they can take control of your computer, access your images, passwords or personal data and even use it to circulate further spam messages or launch illegal attacks on other websites. As a result of this action, the UK is safer from Ramnit, but it is important that individuals take action now to disinfect their machines, and protect their personal information.
Still active
The Ramnit botnet spread malware using a variety of techniques including spear phishing email campaigns, through social networks and by directing victims to malicious websites which hosted the malware.
Infected computers would then be under the control of criminals, enabling them to access personal or banking information, steal passwords and disable antivirus protection.
While the rate of infection has dropped recently, Ramnit was still very active up until it was dismantled, with Symantec saying it blocked a daily average of around 6,700 new infections last November, though this was down from a daily average of 8,000 in May 2014.
The identity and location of the group behind the campaign is unknown.
In a bid to make it more difficult for people to remove the malware once infected, the authors of the software incorporated a number of features that make it hard to banish from a compromised computer, according to Symantec:
"During installation, it will place a copy of itself into the computer's memory as well as writing itself to the hard disk. The memory-based copy actively monitors the hard disk and, if it detects that the hard disk-based copy has been removed or quarantined, it will drop another copy back on to the hard disk to keep the infection alive."
Users can check if their computers have been infected by using free-to-use tools from Microsoft or Symantec which will also remove the Ramnit malware from the PC.
© Copyright IBTimes 2024. All rights reserved.