Make Phishing Futile: W32.Worm.Ramnit and the Power of Passwordless MFA

I recently read the 2025 Honeywell Cyber Threat Report, and the statistics in the report about W32.Worm.Ramnit caught my eye. Among the persistent threats, W32.Worm.Ramnit stands out as a particularly insidious malware, which is increasingly being repurposed to steal valuable industrial account credentials. The report stated that the worm, typically a banking sector Trojan, experienced a 3000% increase in the 4th quarter of 2024 compared to the 2nd quarter of 2024. This blog post will delve into what Ramnit is, how it operates to compromise industrial environments, and crucially, how the adoption of phishing-resistant passwordless Multi-Factor Authentication (MFA) can effectively neutralize this attack vector.

Examining W32.Worm.Ramnit

W32.Worm.Ramnit is a sophisticated, polymorphic worm that has been active for over a decade, continuously evolving its capabilities. Although initially designed as a banking trojan to steal financial information, its modular nature and persistent infection mechanisms have enabled it to adapt to new targets in the Operational Technology (OT) sector.

Key characteristics of Ramnit:

• Worm Functionality: It spreads by infecting removable drives, network shares, and even executable files, allowing it to move laterally within a compromised network.
• Polymorphic Nature: Its ability to change its code structure makes it challenging for traditional signature-based antivirus solutions to detect.
• Stealth and Persistence: Ramnit employs various techniques to evade detection and maintain a foothold on infected systems, including injecting itself into legitimate processes.
• Modular Design: This allows attackers to easily add or remove functionalities, such as credential harvesting, backdoor capabilities, and data exfiltration.

Ramnit's Shift: Targeting Industrial Account Credentials

While its banking trojan roots are well-known, the report indicates a concerning pivot: Ramnit is increasingly being leveraged to target and exfiltrate industrial account credentials. This shift is driven by the high value of access to Operational Technology (OT) environments, where compromised credentials can lead to catastrophic outcomes, including:

• Disruption of Critical Operations: Gaining access to accounts for SCADA systems, HMIs, or PLC programming interfaces can enable attackers to manipulate industrial processes, leading to shutdowns, equipment damage, or even physical harm.
• Data Exfiltration: Industrial intellectual property, proprietary designs, and sensitive operational data are highly valuable targets for industrial espionage.
• Lateral Movement: Stolen credentials provide a direct pathway for attackers to move deeper into an OT network, bypassing perimeter defenses and establishing a persistent presence.
• Ransomware Deployment: Compromised industrial accounts can be used to deploy ransomware directly onto critical systems, maximizing the impact and pressure for a payout.

How Ramnit Steals Credentials in OT:

Ramnit typically employs several methods for credential theft, which are particularly effective in environments reliant on traditional password-based authentication:

1. Browser Credential Harvesting: This attack targets stored passwords and session cookies from web browsers, which may contain login details for cloud-based industrial management platforms, remote access portals, or vendor-specific applications. 
2. FTP Credential Theft: Many industrial environments still use FTP for file transfers, and Ramnit is adept at stealing FTP credentials, which can grant access to critical data or configuration files.
3. Network Share Credential Scraping: By spreading across network shares, Ramnit can scrape credentials from configuration files, scripts, or even cached Windows credentials, allowing it to move between workstations and servers connected to the OT network.
4. Keylogging: While not its primary method, keylogging capabilities can capture credentials as they are typed, including those for local industrial applications or remote desktop sessions.
5. VPN Credential Exploitation: If industrial remote access relies on traditional VPNs secured by passwords, Ramnit can target these credentials, providing a direct gateway into the OT network.

Once these credentials are stolen, they are typically exfiltrated to command-and-control (C2) servers controlled by the attackers, providing them with persistent access and a foundation for further malicious activities.

Why are people still protecting critical infrastructure with passwords? 

The Achilles' heel of Ramnit's credential theft operations is its reliance on the existence of a password or a phishable credential. This is precisely where phishing-resistant passwordless Multi-Factor Authentication (MFA) emerges as a game-changer, fundamentally breaking Ramnit's attack chain.

Phishing-Resistant Secure Remote Access (MFA) is a core component of solutions like BlastShield. It provides highly secure remote access to OT networks using methods like biometrics or FIDO2 keys, eliminating the need for traditional passwords. User identification is based on public-private key pairs, making it immune to credential theft.

Here's how passwordless MFA directly counters Ramnit's credential theft:

1. Eliminates the Password Vector: If there's no password to steal, Ramnit's primary method of attack is rendered useless. Passwordless MFA solutions rely on cryptographic keys, biometrics (such as fingerprint or facial recognition), or FIDO2 security keys, none of which can be "stolen" in the same way a password can.
2. Thwarts Phishing and Credential Theft: Ramnit's ability to steal credentials often relies on users being tricked into revealing them (e.g., via phishing). Phishing-resistant MFA, by design, prevents this. Even if a user is redirected to a fake login page, the cryptographic challenge-response mechanism of FIDO2 or the inherent security of biometrics cannot be replicated or intercepted by the attacker. The user's genuine credential (the private key or biometric data) never leaves their device.
3. Protects Against Replay Attacks: Since each authentication attempt with passwordless MFA involves a unique cryptographic challenge, stolen session cookies or captured login attempts (which Ramnit might leverage) cannot be "replayed" by the attacker to gain unauthorized access.
4. Secures Remote Access Gateways: For industrial remote access, implementing passwordless MFA on ZTNA solutions ensures that even if Ramnit is present on an endpoint, it cannot use stolen credentials to gain access to the secure network. BlastWave's approach focuses on phishing-resistant, passwordless MFA that thwarts phishing and credential theft (even AI-powered attempts).
5. Enhances Audit Trails: While not directly preventing theft, the robust authentication mechanisms of passwordless MFA provide clear, verifiable audit trails of authenticated users, aiding in forensic investigations and quickly identifying any unauthorized access attempts.

Ditch the Password. Make Phishing Futile.

Interested in a demonstration of this? https://www.blastwave.com/schedule-a-demo