{
  "family": "ramnit",
  "sample_count": 20595,
  "category": "worm_banker",
  "description": "Ramnit is a versatile worm and banking trojan first observed in 2010 that combines self-propagation through removable drives with credential theft and remote backdoor capabilities. Originally a file-infecting virus, Ramnit evolved into a full banking trojan capable of webinjects, FTP credential theft, and screen capture. Its infrastructure was disrupted by Europol and Symantec in 2015 but the family resurfaced and remains in active use. Ramnit demonstrates the convergence of worm propagation with banking-trojan monetization that characterized late-2010s commodity malware.",
  "cta": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.",
  "aliases": [
    "nimnul"
  ],
  "enrichment_level": "hand-curated",
  "faq": [
    {
      "@type": "Question",
      "name": "What is Ramnit?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Ramnit is a versatile worm and banking trojan first observed in 2010 that combines self-propagation through removable drives with credential theft and remote backdoor capabilities. Originally a file-infecting virus, Ramnit evolved into a full banking trojan capable of webinjects, FTP credential theft, and screen capture. Its infrastructure was disrupted by Europol and Symantec in 2015 but the family resurfaced and remains in active use. Ramnit demonstrates the convergence of worm propagation with banking-trojan monetization that characterized late-2010s commodity malware."
      }
    },
    {
      "@type": "Question",
      "name": "How does Ramnit spread?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Ramnit spread through infected USB drives, removable media autorun, web injections into HTML files on the host, and drive-by downloads."
      }
    },
    {
      "@type": "Question",
      "name": "What are the signs of a Ramnit infection?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Modified HTML files on the system with injected iframes, file infector behavior across executables, and antivirus detections for Ramnit or Nimnul are common."
      }
    },
    {
      "@type": "Question",
      "name": "What should I do if I think I have Ramnit on my system?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance."
      }
    }
  ],
  "faq_count": 4,
  "mitre_attack": [
    "T1091",
    "T1547.001",
    "T1185"
  ],
  "cisa_advisory": null,
  "last_updated": "2026-05-27"
}