Ramnit is a versatile worm and banking trojan first observed in 2010 that combines self-propagation through removable drives with credential theft and remote backdoor capabilities. Originally a file-infecting virus, Ramnit evolved into a full banking trojan capable of webinjects, FTP credential theft, and screen capture. Its infrastructure was disrupted by Europol and Symantec in 2015 but the family resurfaced and remains in active use. Ramnit demonstrates the convergence of worm propagation with banking-trojan monetization that characterized late-2010s commodity malware.
This family has been observed using the following ATT&CK techniques: T1091 T1547.001 T1185
Ramnit is a versatile worm and banking trojan first observed in 2010 that combines self-propagation through removable drives with credential theft and remote backdoor capabilities. Originally a file-infecting virus, Ramnit evolved into a full banking trojan capable of webinjects, FTP credential theft, and screen capture. Its infrastructure was disrupted by Europol and Symantec in 2015 but the family resurfaced and remains in active use. Ramnit demonstrates the convergence of worm propagation with banking-trojan monetization that characterized late-2010s commodity malware.
Ramnit spread through infected USB drives, removable media autorun, web injections into HTML files on the host, and drive-by downloads.
Modified HTML files on the system with injected iframes, file infector behavior across executables, and antivirus detections for Ramnit or Nimnul are common.
If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/ramnit.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families extracted from the EMBER 2018 benchmark. The catalog is also published on Hugging Face and Kaggle.