Ramnit was originally discovered in 2010 as a worm that was distributed through removable drives, infected files on public file transfer protocol (FTP) servers, exploit kits through malvertising, and bundled with unwanted apps. In 2011, Ramnit was developed to function as a banking trojan. The trojan was the fourth most active banking trojan in 2014, primarily attacking UK, US, and Australian users, harvesting credentials from online banking, social networking, and job recruitment websites. In early 2015, the Ramnit botnet infrastructure was taken down by Europol's European Cybercrime Centre, but the trojan resurfaced in December 2015 with the same source code and behavior patterns, although there were changes made to the configuration file and added the use of web injections. The trojan targeted banks and ecommerce sites in Canada, Australia, the US, and Finland. Ramnit resurfaced again in August 2016, targeting six major banks in the UK. The trojan’s architecture and encryption algorithms stayed the same but some of the modules were updated, including a Spy Module designed to hook the browser, monitor URL access, enable data theft in real-time, and display web injections to the victims. Additionally, new attack schemes built for real-time fraud attacks have been added to target online banking sessions. Ramnit will also steal credentials from infected users to commit takeover fraud from other devices later. It is likely that the Ramnit trojan will expand its victims beyond the initial six major UK banks in the near future.


  • December 2015: Ramnit trojan targets banks and ecommerce sites in Canada, Australia, the US, and Finland. (Security Intelligence)
  • August 2016: The Ramnit trojan targets six major banks in the United Kingdom. (IBM)
  • March 2017: Malvertising campaign targeting visitors of adult websites is spreading the trojan to users in Canada and the UK. (Malwarebytes)

Technical Details

  • IBM provides technical details on the Ramnit trojan, available here.