Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Connect Directly
E-Mail vvv

Lessons Learned From The Ramnit Botnet Takedown

While most organizations won't find themselves in similar circumstances, there are important takeaways they can apply to any security program.

In the security community, there is a popular adage that says, “It’s not a matter of if you’ll be breached, but when.” This statement is meant to remind us that our focus should not only be on preventing a breach, but must also include strategies to detect and remediate incidents when they occur.

The unfortunate fact is that despite this knowledge, most of the time organizations have no idea they have suffered a data breach or are under attack by hackers. When the source of the attack is finally identified, it’s often too late and the result is usually reputational harm and millions of dollars lost.

In a knowledge-driven era, data has become our worst enemy and biggest ally. Data can be the enemy when organizations are bombarded and overwhelmed with more events than can be processed. It is like finding the needle in the proverbial haystack, where the needle is abnormal behavior and the haystack all online communications. To be secure, every instance of abnormal behavior should be checked as it may represent botnet activity or similar threats.

Despite these challenges, with the proper resources, data can also be our greatest ally. Thanks to modern technology -- namely big data -- organizations can proactively look for outlier behavior and investigate and obtain the necessary threat intelligence to evaluate and mitigate security risks before further damage is done.

One such example of the successful use of Big Data involves the takedown of a well-known botnet. In February, Europol, along with Microsoft, Symantec, and AnubisNetworks, led the takedown operation of Ramnit. In this case, the massive haystack consisted of the communications generated between a global network of compromised machines and respective command and control servers, or C2s. C2s are centralized machines that are able to send commands and receive outputs of machines -- part of a botnet encrypted with multiple security layers to protect “the needle,” meaning the criminals behind the whole operation. Breaking and sinkholing the Ramnit botnet required patience and perseverance to understand how the botnet operated, how it was structured, and how it communicated with the C2.

The takedown
Before moving in, law enforcement needed intelligence on the botnet, namely its geographic dispersion and an understanding of the malware to identify communication protocols and C2 infrastructure mapping.

It took months to collect, aggregate, and analyze the Ramnit botnet data, which led to sinkholing the C2 infrastructure and delivering critical information to allow law enforcement to take over the C2s and arrest the criminals.

In the end, the takedown was a success and law enforcement took control of the C2 infrastructure. By accessing and analyzing threat data from a variety of sources, the takedown effectively minimized the presence of Ramnit and reduce botnet activity on the international scale with infected machines decreasing from over 3.2 million to less than 250,000 in the days following the operation.

Ramnit botnet activity after the takedown
Source: AnubisNetworks
Source: AnubisNetworks

A couple of months after the operation, we’ve seen an increase in Ramnit botnet activity, but it’s marginal when compared to the days prior to the takedown. This emergence of new activity highlights the importance of vigilance and constant monitoring of these types of threats as in many cases it can be like cutting the head off a Hydra.

While the average organization won’t find itself involved in a high stakes botnet takedown, there are a few key takeaways from the Ramnit takedown that can be applied to any security program:

  • Many organizations rely solely on inside data about possible security breaches. If for some reason internal systems have been compromised, there is a very high probability those systems aren’t doing a very good job, so it’s important to have added visibility over network traffic related to the organization -- like a fresh set of eyes or a sanity check, if you prefer, to ensure everything is ok.
  • Knowing that your organization has been compromised is the first step towards solving the threat, but in order to be effective it’s also necessary to have a rich and unique context about it. You need to know and understand who the enemy is and how it can the successful tackled.
  • At the end of the day, humans are the weakest link in the cybersecurity equation, so education, awareness, and the implementation of good practices are critical in keeping your organization and customers safe. 

Unfortunately, botnets don’t simply die, they are built to be resilient and survive even if the masterminds behind them are in prison. We can weaken them, but often they reemerge with a similar modus operandi and a new name. Organizations need to embrace an adaptive approach to security, understand the new threat actors, and the risks they may represent.

Francisco Fonseca is the co-founder and CEO of AnubisNetworks, a BitSight subsidiary. Francisco has 15 over 15 years experience in the telecommunication industry implementing and managing email platforms for corporate and ISP environments. He previously founded Crashless, and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
There is a XSS vulnerability in the ticket overview screens. It's possible to collect various information by having an e-mail shown in the overview screen. Attack can be performed by sending specially crafted e-mail to the system and it doesn't require any user intraction. This issue affects: OTRS A...
PUBLISHED: 2021-06-16
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
PUBLISHED: 2021-06-16
Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link vers...
PUBLISHED: 2021-06-16
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. ...
PUBLISHED: 2021-06-16
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-5...