NCA warns over ‘RAMNIT’ Windows computer attack

February 25th 2015

The National Crime Agency (NCA) has led a major European operation to tackle malicious software (malware) known as RAMNIT and believed to have infected tens of thousands of Windows computers in the UK. If you have a Windows computer, the NCA is advising you to check whether it has been infected by downloading specialist disinfection software, which is available free of charge by clicking on either of these links:

For information and advice on protecting your computer from malware, click here


Security Scanner:
Virus Removal Tool:
Security Scanner and Virus Removal Tool both from the following page:


Trend Micro:


The Agency’s National Cyber Crime Unit (NCCU) worked with law enforcement colleagues in the Netherlands, Italy and Germany – co-ordinated through Europol’s European Cybercrime Centre (EC3) – to shut down command and control servers used by a ‘botnet’ network of infected computers. One of the servers was housed in Gosport, Hampshire.

Botnets, including RAMNIT, spread malware via seemingly trustworthy links sent out on phishing emails or social networking websites. If users running Windows operating systems click on the links, the malware would be installed, infecting the computer. Infected computers then fall under the control of criminals, enabling them to access personal or banking information, steal passwords and disable antivirus protection.

Investigators believe that RAMNIT may have infected over three million computers worldwide, including around 33,000 in the UK. It has so far largely been used to attempt to steal money from bank accounts.

Analysis is now taking place on the servers and an investigation is ongoing.

The disinfection tools will identify whether a computer has been infected and, if so, disinfect it. If your computer has been affected, you should then immediately change passwords on banking, email, social media and other potentially sensitive online accounts. The tool will cause no harm if used on computers that have not been infected.

The NCCU's Steve Pye said: “Through this operation, we are disrupting a cyber crime threat which has left to thousands of ordinary computer users in the UK at risk of having their privacy and personal information compromised. This malware effectively gives criminals a back door so they can take control of your computer, access your images, passwords or personal data and even use it to circulate further spam messages or launch illegal attacks on other websites."

Mr Pye continued “As a result of this action, the UK is safer from RAMNIT, but it is important that individuals take action now to disinfect their machines, and protect their personal information.”

The operation to take down RAMNIT was co-ordinated by the Joint Cybercrime Action Taskforce (J-CAT) based at Europol’s European Cybercrime Centre (EC3). Europol was alerted to RAMNIT by Microsoft, after data analysis showed a big increase in infections.

Andy Archibald, Deputy Director of the National Cyber Crime Unit, and the taskforce's Chair, added:

“Strong international cooperation is crucial to success in tackling the major cyber crime threats facing the UK and its partners. This operation is a further demonstration of the value J-Cat is adding to our efforts to disrupt criminal infrastructures, and ensure the UK is a safe place to interact and do business online.”

Written by

In partnership with