Severity scale:  

Remove Citadel virus (Virus Removal Instructions) - Free Guide

removal by Julie Splinters - -   Also known as Citadel trojan | Type: Trojans

Citadel virus is a notorious banking trojan that stole the credentials of millions and caused immense financial losses

Citadel virus

Citadel trojan is a data-stealing malware that was first spotted in the wild back in 2011 and was based on the Zeus virus. Its impressive keylogging and evasion capabilities allowed its developer Mark Vartanyan, also known as “Kolypto,” and his affiliates to harvest the login credentials from the most popular password managers, including Keepass or Password Safe. 

During its successful years of operation, Citadel trojan managed to infect over 11 million computers worldwide, which resulted in $500 million worth of damage to users.[1] Fortunately, with the help of combined efforts of the FBI and Microsoft, the operator was extradited to the United States in March 2017 to face criminal charges related to Citadel malware and sentenced to five years in federal prison later that year.[2]

Citadel trojan was offered on the underground forums for years and was one of the first viruses that were used for malware-as-a-service (MaaS) scheme. The affiliates used a variety of infection methods, such as Blackhole EK,[3] to infect users with a malicious payload and then included the computer network into a botnet, further proliferating malware.

Name Citadel virus
Type Trojan
Stems from Zeus banking malware
Developer Mark Vartanyan or “Kolypto”
Start of the operation 2011
Business model Malware-as-a-service (MaaS)
Capabilities Stealing master passwords, locking users out of security sites, compiling a botnet, etc.
Distribution means Exploit kits, vulnerabilities, spam emails, etc.
Termination Use anti-malware software such as Reimage Reimage Cleaner Intego or SpyHunter 5Combo Cleaner

While the developer Kolypto is already behind bars, it does not mean that Citadel virus is gone forever, mainly because it was operating the malware-as-a-service program. Therefore, users should beware of older threats, as the presence of a trojan can result in money loss, installation of other malicious software, or even identity theft.

Soon after the distribution of Citadel virus seized in 2016, a new version based on it was released – Atmos.[4] It was mainly developed to perform targeted attacks against banks. However, it later turned out that the malware was also used to drop TeslaCrypt ransomware,[5] initially infecting users via malicious web injects.

What's so special about Citadel malware is that it is capable of entering the machines and idling for months, meaning that no security solutions can detect it during that time. However, the updated versions of security applications should be able to help with Citadel virus removal and prevention.

Citadel trojanCitadel virus is a trojan that is capable of evading detection, stealing sensitive user data and preventing them from visiting security websites

The complex nature of the trojan requires users to be extremely careful when browsing the internet, as the infection can come when its least expected. Citadel virus might be delivered using a variety of methods, so the prevalence is guaranteed.

We recommend using security solutions such as Reimage Reimage Cleaner Intego and SpyHunter 5Combo Cleaner in order to terminate the malicious threat and restore the computer to a working state. Remember, trojans are usually silent and do not show any signs or symptoms, so it vital to scan your device with anti-malware on a regular basis.

Prevent malware by employing adequate security options

Unlike potentially unwanted programs that are considered less harmful, various malware, including ransomware, and banking trojans are usually operated by a sophisticated criminal group. Therefore, the distribution methods of such threats are usually much more complex and advanced – it ensures the benefit of infecting millions of users. Here are a few examples of malware distribution methods:

  • Exploits
  • Software vulnerabilities
  • Spam emails
  • Web injects
  • Fake updates
  • Pirates software installers, etc.

Let's make it clear: having a comprehensive anti-malware software installed is one of the major steps towards infection prevention. However, it is not enough just to be safe online.

You should also make sure you update your operating system along with all the installed applications as soon as new security patches are deployed. Updates can fix security flaws, which would consequently stop the trigger of the exploit, which would otherwise install malware automatically as soon as you enter the compromised site.

Citadel mawlareCitadel malware was among the first viruses that operated malware-as-a-service scheme - the affiliates could directly report bugs and communicate with its developers

Additionally, you should avoid torrent and crack sites that offer illegal software – these are full of malicious software and should not be tampered with.

Remove Citadel banking trojan and prevent the intrusion of other malware

Besides Citadel's capability of stealing credentials, credit card details, and operating a botnet, it was also capable of proliferating other malware. As we previously mentioned, ransomware like TeslaCrypt might be delivered – the infection that can lock personal files on the hard drive and all the connected networks. In most of the cases, data recovery is impossible, unless security experts come up with the decryption tool.

Therefore, manual Citadel virus removal might not be enough, as other malware might be operating in the background. We suggest you refrain from tampering with system files and rather trust comprehensive anti-malware programs to do the work automatically.

In some cases, Citadel virus removal might be difficult as it can tamper with anti-virus software. If that is the case, you should enter Safe Mode with Networking – a safe environment that stops malware-initiated tasks from running. We explain how to enter the mode below – please check it out and perform a full system scan. 

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove Citadel virus, follow these steps:

Remove Citadel using Safe Mode with Networking

In case the malware does not let your security application function normally, access Safe Mode with Networking as explained below and complete Citadel malware removal by scanning your computer:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Citadel

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Citadel removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Citadel and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer various losses due to cyber infections or their own faulty doings. Software issues created by malware or direct data loss due to encryption can lead to problems with your device or permanent damage. When you have proper up-to-date backups, you can easily recover after such an incident and get back to work.

It is crucial to create updates to your backups after any changes on the device, so you can get back to the point you were working on when malware changes anything or issues with the device causes data or performance corruption. Rely on such behavior and make file backup your daily or weekly habit.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware occurs out of nowhere. Use Data Recovery Pro for the system restoring purpose.

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions


Removal guides in other languages

Your opinion regarding Citadel virus