Ramnit is a worm that steals information from compromised systems. Per Malwarebytes, it downloads component files for specific tasks: one component steals cookies to hijack banking and social-media sessions, while another gives attackers remote access. It arrives via removable and fixed drives, public FTP servers, exploit kits, or bundling with potentially unwanted software. Originally a worm that evolved toward banking fraud and botnet activity, its infrastructure was targeted in law-enforcement action in 2015.
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1091 T1547.001 T1185
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_RAMNIT {
meta:
description = "Detects Ramnit (worm_banker)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "ramnit" ascii wide nocase
$s2 = "ramnit" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Ramnit Activity
id: efe3c4c4bc0508cf57a3acd3907f6ff8
status: experimental
description: Detects generic indicators of the ramnit malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*ramnit*"
- "*ramnit*"
condition: selection
level: mediumA worm that steals information from infected systems, including banking and social-media session data, and can grant attackers remote access.
One of its downloadable components steals cookies, which can be used to hijack banking and social-media sessions.
Via removable and fixed drives, public FTP servers, exploit kits, and bundling with potentially unwanted software.
Yes; one of its components is capable of providing threat actors remote access to the affected system.
Its botnet infrastructure was targeted in a 2015 law-enforcement operation, though the family continued to be observed afterward.
Disable autorun on removable drives, be cautious with bundled/unwanted software and downloads, keep systems patched, and use reputable security software.
Malwarebytes maintains a Worm.Ramnit detection page, linked on this page.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/ramnit.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.