Viruses

Kriptor is the name of malicious software categorized as ransomware. Its main purpose lies in the encryption of personal files and extraction of money from victims. The virus starts by restricting access to valuable data (photos, videos, documents, databases etc.). It also changes all the affected filenames with the .Kriptor extension to highlight encryption. For instance, a file previously titled as 1.pdf will change to 1.pdf.Kriptor and reset its icon as well. After this part is done, Kriptor creates a text note (read_it.txt) designed to explain decryption instructions. The desktop wallpapers get replaced as well. It is said victims have an opportunity to contact cybercriminals using one of the following e-mail addresses - leljicok@gmail.com or kkizuko@yandex.com and pay for decryption in Bitcoins. The exact price remains in secret and is to be revealed upon successful reach-out to swindlers. Ransomware developers also offer to test free decryption prior to paying the decryption fee - users are allowed to send up to 3 encrypted files and get them fully accessible in return. This way, cybercriminals try to create an additional bubble of trust, making victims more likely to pay for decryption.

Conteban is a remote-access trojan that, upon successful Infiltration, manipulates system features to run malicious actions on it. While the actual purpose of this virus remains unclear, malware of such tends to cause chain infections. This means that Conteban may act as a "backdoor" to bring other viruses, such as ransomware, along the way. Ransomware is a devastating malicious software that usually encrypts system stored data and blackmails victims into paying money for its return. In addition, many developers behind trojan infections also seek the extraction of valuable information (e.g. passwords, log-ins, banking credentials, etc.). This data can therefore be misused to perform fraudulent financial operations, putting users' funds and privacy at significant risk. Sometimes, however, there is software mistakenly tagged as Trojan-Win32/Conteban by various antivirus engines, including native Windows Defender. These false positives happen pretty often and may occur while launching or installing a third-party file downloaded from the web. If you suspect your system to be actually infected, or you doubt the trustworthiness of the file downloaded, we recommend you use our guide to make sure nothing threatens your PC.

Also known as Exo Android Bot, Exobot is a dangerous and highly-disruptive piece of malicious software designed to infiltrate Android devices. Exobot is similar to functions carried out by many banking trojans. In essence, it settles within a system and performs a number of phishing actions aimed at extracting valuable information from users (e.g. bank card credentials; passwords, log-ins, and even identity information). It does so by accessing Accessibility Services and manipulating an infected device through WiFi or Mobile networks. Alternatively, if there is no internet connection available, Exobot, is also capable of performing device control through SMS messages, which expands its abuse potential. In order to trick users into entering their credentials, cybercriminals may create simulated layers of popular apps (Google Play; WhatsApp, Viber, etc.) that pop on the screen and hardly differ from authentic ones. Smartphone trojans are usually granted extensive permissions giving full freedom to threat actors on what they can do. This includes forced device locking, blocked access to certain applications, screen capture, SMS management, microphone, and camera manipulation along with other compromising features as well. Exobot is especially known for the botnet feature allowing developers to link a number of infected devices and control them together from the same server to execute malicious steps. In conclusion, malware like Exobot is very devastating as it may lead you to deal with serious privacy issues, financial risks, downgraded device performance, or even identity theft. Thus, we recommend you follow our guidelines below and get rid of this virus as soon as you are able to.

U2K is a ransomware virus designed to render files inaccessible and extort a recovery payment from victims. During encryption, it assigns the .U2K extension and resets icons of all affected files. To illustrate, a file initially titled 1.pdf will change to 1.pdf.U2K and lose its original icon as well. After getting things done with encryption, the virus triggers the creation of the ReadMe.txt text note. This note features instructions on what victims should do in order to return the blocked data. As stated inside the file, the only doable way of decrypting all data is to purchase a unique decryptor. To retrieve it, victims are guided to download Tor Browser, navigate to the attached website link, and open a support ticket with cybercriminals. After starting negotiations, extortionists will likely announce the price and instruct victims on further details for payment. Unfortunately, as experience shows, much damage (primarily encrypted files) is hard to recover without the help of cybercriminals.

Teabot is a trojan infection that seeks extraction of banking-related data. Based on publicly-available reports, it is known that TeaBot has been targeting more than sixty banks across Europe. Upon getting installed onto a smartphone, it demands users to allow certain Accessibility Features by sending a number of pop-up windows. Once the requested permissions are given, developers behind Teabot will become able to control the infected device using Remote Access Tool (RAT). This will allow cybercriminals to deploy any malicious commands they want (e.g. replicate log-in credentials, take screenshots, manage contacts and send messages, disable security layers, record audio, etc.). As mentioned, the main target of this trojan comes down to financial information meaning cybercriminals might be more interested in stealing data from crypto wallets, banking or insurance apps, and so forth. To conclude, the presence of Teabot may and will be extremely dangerous for all kinds of sensitive data unless it is removed from your device. We recommend you do it as soon as possible using our guidelines below. Step-by-step instructions will help you delete it without traces.

BianLian is the name of a banking trojan designed to exfiltrate mainly finance-related information. After successful installation, it bombards the device's screen with pop-up windows that request users to allow various Accessibility Features. Once the demanded permissions are granted, the trojan acquires an almost limitless range of malicious features. For instance, it might display fake interactable windows on top of various banking applications. This way, cybercriminals attempt to trick users into entering their log-in credentials and steal them eventually. BianLian was also discovered able to run USSD codes and perform calls; prevent users from using a device by force-locking the screen; enable screen recording, manage SMS text messages, and also create an SSH server for protecting its communication channels. Such modules used by the trojan are obviously dangerous and might lead users to significant financial losses, identity thefts, and other problems that no one would desire. Thus, it is important to remove the trojan infection and restore safety on your Android device. You should also change all your log-in credentials and even block your card at the bank to prevent financial abuse.

Lilith is a ransomware infection that encrypts system-stored data and demands payment for file decryption. While rendering files inaccessible, the virus also appends the new .lilith extension to each infected sample. For instance, a file named 1.pdf will change to 1.pdf.lilith and reset its original icon as well. After this, cybercriminals lay out instructions on how to acquire decryption in a text note called Restore_Your_Files.txt. It is said that victims have three full days to contact developers. This should be done using the Tox messenger in Tor Browser. Should victims get late with meeting these demands, cybercriminals threaten to start leaking the collected data, supposedly to dark web resources. Although the price for decryption is calculated on an individual basis depending on how much valuable data has been encrypted, it still might be quite high considering ransomware's tendency to target business organizations.

Bahamut is a malicious program that targets Android devices and is classified as spyware. Malware of such is designed to spy on users' sensitive data and misuse it for future financial benefits. Upon successful installation, the virus acts as a regular application and requests users to provide a number of "mandatory" permissions. This can include permission for accessing camera, reading messages and managing phone contacts, recording audio, accessing phone memory, and other suspicious permits that should not be given to doubtful software. The main goal of Bahamut is normally set on extracting potentially valuable information from popular messaging apps such as WhatsApp, Facebook Messenger, Telegram, Viber, ProtectedText, Imo, Secapp, and Signal as well. Cybercriminals do this by sending collected information to their remote Command & Control server. The same is used for deploying various commands to control the infected device as well. Having Bahamut installed on your system will by far lead to many security and privacy risks. This is why such software must be removed as soon as you see it. Do it using our guide below and also learn how its installation occurred.