Ramnit

Category: worm_banker · Aliases: Ramnit · Sample count (EMBER 2018): 20,595 · Enrichment: curated_sourced · Updated: 2026-06-09

Overview

Ramnit is a worm that steals information from compromised systems. Per Malwarebytes, it downloads component files for specific tasks: one component steals cookies to hijack banking and social-media sessions, while another gives attackers remote access. It arrives via removable and fixed drives, public FTP servers, exploit kits, or bundling with potentially unwanted software. Originally a worm that evolved toward banking fraud and botnet activity, its infrastructure was targeted in law-enforcement action in 2015.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1091 T1547.001 T1185

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_RAMNIT {
    meta:
        description = "Detects Ramnit (worm_banker)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "ramnit" ascii wide nocase
        $s2 = "ramnit" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Ramnit Activity
id: efe3c4c4bc0508cf57a3acd3907f6ff8
status: experimental
description: Detects generic indicators of the ramnit malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*ramnit*"
            - "*ramnit*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is Ramnit?

A worm that steals information from infected systems, including banking and social-media session data, and can grant attackers remote access.

How does Ramnit steal banking information?

One of its downloadable components steals cookies, which can be used to hijack banking and social-media sessions.

How does Ramnit spread?

Via removable and fixed drives, public FTP servers, exploit kits, and bundling with potentially unwanted software.

Can Ramnit give attackers remote control?

Yes; one of its components is capable of providing threat actors remote access to the affected system.

Was Ramnit ever disrupted?

Its botnet infrastructure was targeted in a 2015 law-enforcement operation, though the family continued to be observed afterward.

How can I reduce the risk from Ramnit?

Disable autorun on removable drives, be cautious with bundled/unwanted software and downloads, keep systems patched, and use reputable security software.

Where can I read an authoritative source on Ramnit?

Malwarebytes maintains a Worm.Ramnit detection page, linked on this page.

Related Families (Category: worm_banker)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/ramnit.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.