UK's NCA leads Europol take-down on Ramnit botnet

News by Doug Drinkwater

The National Crime Agency has led its latest major malware take-down, clubbing together with Europol's European Cybercrime Centre (EC3), private sector and CERT-EU to disrupt the widely-spread Ramnit botnet

Announcing the news today, the EC3 revealed that it had co-ordinated a joint international operation from its operational centre in the Hague to take-down Ramnit yesterday, a botnet which is believed to have infected 3.2 million computers worldwide.

The botnet spreads malware seemingly via trustworthy links sent out on phishing emails or social networking websites. If users on Windows OS clicked the links, the malware would be installed, infecting the computers, which would then be under the control of the botnet operators. They could access personal or banking information, steal passwords and disable anti-virus protection. Symantec says that Ramnit has been around for over four years, first originating as a computer worm.

Investigators believe that Ramnit infected more than three million computers worldwide, including 33,000 in the UK. However, India and Indonesia appear to be the two biggest targets, accounting for 27 percent and 18 percent of infections respectively.

As with previous investigations, it was a truly international and collaborative effort; while EC3 facilitated the operation, the UK led it and it also involved investigators from Germany, Italy and Holland. EC3's own J-CAT team was also in support, as was CERT-EU, with the latter relaying information on the victims to their peers for risk mitigation purposes.

Microsoft – which alerted Europol to the spike in infections – Symantec and AnubisNetworks worked together with Europol officials to shut down the command and control (C&C) servers, as well as to redirect the 300 internet domain addressed used by the botnet's operators. The NCA detailed how one of the servers in question was located in Gosport, Hampshire.

“Through this operation, we are disrupting a cyber-crime threat which has left thousands of ordinary computer users in the UK at risk of having their privacy and personal information compromised,” said Steve Pye of the NCCU.
“This malware effectively gives criminals a back door so they can take control of your computer, access your images, passwords or personal data and even use it to circulate further spam messages or launch illegal attacks on other websites.
“As a result of this action, the UK is safer from RAMNIT, but it is important that individuals take action now to disinfect their machines, and protect their personal information.”

Europol deputy director operations, Wil van Gemert, said in a statement: "This successful operation shows the importance of international law enforcement working together with private industry in the fight against the global threat of cybercrime. We will continue our efforts in taking down botnets and disrupting the core infrastructures used by criminals to conduct a variety of cyber-crimes. Together with the EU Member States and partners around the globe, our aim is to protect people around the world against these criminal activities."

Andy Archibald, deputy director of the National Cyber Crime Unit, and chair of J-CAT – which SC exclusively detailed pre-launch back in June, added: “Strong international cooperation is crucial to success in tackling the major cyber-crime threats facing the UK and its partners.
“This operation is a further demonstration of the value J-Cat is adding to our efforts to disrupt criminal infrastructures, and ensure the UK is a safe place to interact and do business online.”

An NCA spokesman confirmed to SC that the NCA led the take-down operation - its second in the public-eye since July last year - because it had the biggest number of infections in Europe.

Brian Honan, managing director and consultant at BH Consulting, told that this was another win for Europol, but said that the real challenge remains – finding the people behind such malware and putting them in prison.

“First of all, I think it is great to see member states and the private sector, co-ordinated by EC3, take-down botnets and clean up the internet.”

However, he added that such action was “currently a case of treating the symptoms rather than the disease. “To be really effective, we need to arrest the people behind these botnets and put them in jail.”

He said that this is complicated by countries outside the EU's jurisdiction, which likely wouldn't extradite criminals, but said that EC3 has already done stellar work in working with non-EU countries, as evidenced by the J-CAT, which includes investigators from the US' FBI as well as law enforcement from Australia, Canada and Colombia.

“The next challenge is to encourage nations that are not being helpful today to be more helpful tomorrow.”

Microsoft and Symantec have released a remedy to clean and restore infected computers' defences.  For those who fear their computer may have been infected, EC3 recommends downloading specialist disinfection software.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews