Severity scale:  

Remove Lokibot virus (Removal Instructions) - 2020 update

removal by Jake Doevan - - | Type: Trojans

Lokibot is a Trojan malware that steals credentials, logs keystrokes, and can launch Jigsaw ransomware payload

Lokibot banking trojanLokibot is a banking trojan that can shift into ransomware if the attempt is made to deny its administrative rights

LokiBot is an info stealer Trojan malware[1] that can leak usernames, passwords, banking information, and other credentials to remote servers managed by criminals. The virus has been first detected in 2015, while a closer investigation has been initiated in late 2017 by SfyLab (or ThreatFabric currently) security researchers[2]. It usually infiltrates devices using malicious phishing emails, which are massively sent by bots employed by hackers or can be downloaded as a fake app from third-party websites. LokiBot Trojan can attack Windows and Android users. 

After a quiet period, cybersecurity researchers from Trend Micro[3] revealed a renewed LokiBot Trojan campaign impersonating the launcher for multiplayer video game Fortnite. A massive malspam campaign has been spotted imitating the launcher for Epic Games, which after granting permission launches the #C code allowing to bypass security systems and the .NET file that opens the backdoor for data leaking. 

On May 1, 2020, news about the new LokiBot virus attack has started spreading. Attackers have started a phishing campaign introducing people with the fictitious invoices and bank transfers, which contain infected excel sheets named Swift.xlsx, Inquiry.xlsxorders.xlsx, or Invoice For Payment.xlsx. If the user opens the sheet, cjjjjjjjjjjjjjjjjjjj.exe[4] file, which stands for LokiBot, connects to remote servers and starts leaking credentials. Besides, it downloads a new variant of Jigsaw ransomware, which encrypts files using .zemblax extension. The most interesting feature of this malware is that it shifts into ransomware as soon as the victim attempts to get rid of the malicious application. 

Name LokiBot
Type Banking trojan with ransomware traits
Discovered by SfyLab
Targets Android devices, Windows systems
Distribution Spam email attachments, malicious websites, third-party apps, social media links, etc. Typically, it disguises under malicious Excel spreadsheets that imitate official banking documents, invoices, or order details. The latest LokiBoit spam campaign misuses a game launcher of a popular game Fortnite
Executables cjjjjjjjjjjjjjjjjjjj.exe, objectrecalcine.exe
Symptoms Fake messages, pop-ups, fake bank interface, locked up files if the termination is implemented, files encrypted by Jigsaw or another ransomware (.zemblax extension)
Danger level High. Stolen credentials can lead to money theft or identity fraud
Elimination Eliminate the threat by entering Safe Mode and scanning the device with SpyHunter 5Combo Cleaner or Malwarebytes
Optimization required LokiBot is a dangerous Trojan, which drops malicious objects all over the system. It can not only delete files, but also hijack registries, turn core processes idle, block anti-virus, and perform other tasks that are not restored after Trojan infection. For a full PC's optimization, we recommend using Reimage Reimage Cleaner Intego tool

The primary goal of cybercriminals is obviously money. Thus, after the device gets infected with the LokiBot virus, users can be presented with a simulated screen that looks identical to the online banking one. Victims are unaware of the presence of malware and merely enter their credentials into the banking app-look-alike. In the meantime, the virus sends all the information directly to hackers, allowing them to use this sensitive data. 

Additionally, the virus is capable of mimicking other applications, such as Skype, Viber, WhatsApp, and even Outlook. Meaning, that all the data entered using these fake programs will be stolen as well; therefore, you need to be very careful. LokiBot removal should be your top priority. For that, you have to reboot your machine in Safe Mode, delete malware, and then scan it with SpyHunter 5Combo Cleaner or Malwarebytes to make sure all the traces are gone.

In addition to displaying a fake app interface and sending login information to hackers, LokiBot virus is also capable of the following:

  • Initiating fake notifications that look identical to those from a bank;
  • Making the smartphone vibrate when the messages pop up;
  • Opening the browser and navigating to specific websites;
  • Redirecting user's internet traffic through a proxy server;
  • Sending malicious spam SMS messages to people on the contact list;
  • Replying to incoming messages.

The banking trojan needs to have administrative rights to do all this, which it gains during the installation. Nevertheless, users are unaware of that at the start. Even if the attempt is made to deny admin rights, or if the user tries to remove LokiBot from their device, it instantaneously turns into ransomware[5] type virus.

LokiBot info stealerLokiBot info stealer is currently set to distribute Jigsaw ransomware variant

Culprits earned a fortune from ransom payments

As soon as Lokibot shifts to ransomware, it reboots the device, locks-up the screen and displays a message to users, informing them that their machine was locked due to them viewing child pornography. These screen-locking viruses started appearing in 2010 and infected millions of devices worldwide (probably the most famous one is FBI virus).

Obviously, the claims are fake, and the device is locked by a virus. To redeem the full function of their phone or tablet, users are asked to pay ransom in Bitcoin cryptocurrency which usually ranges between $70 and $100 within 48 hours.

When researchers analyzed  LokiBot's code, they discovered that the ransomware does not lock their files properly. It uses weak encryption and leaves copies of original files under different names, which is relatively easy to recover.

Unfortunately, not all users are aware of that, and they hurry to pay the ransom, as they are scared to lose the access to their device. This way, crooks earned over $1.5 million so far. Nevertheless, because Lokibot malware only costs around $2000 on the Dark Web, it is highly likely that it will continue to be spread by illegal money-craving cybercriminals.

Lokibot virusLokibot is malware that seeks to steal credentials from unsuspecting users

Update 2020: Jigsaw ransomware under LokiBot payload

At the begging of 2020 LokiBot info stealer has renewed its malspam campaigns. According to Trend Micro, the campaign misuses the famous Epic Games launcher, which is widely used by Fortnite and other multiplayer video game lovers. The rogue launcher is being distributed by bots via spam emails, which once enabled runs two processes:

  • #C source code, which blocks security software and prevents the malware from being eliminated;
  • .NET executable, which runs the #C and enables LokiBot malware.

Once the malware grants access, it's primary goal is to trick the victim into giving away credentials, logins, banking information, and other personal information that subsequently allows hackers to steal money. 

Jigsaw ransomware is one of the latest file-encrypting malware that the Lokibot trojan is programmed to launch. The latest malspam campaign, which started at the end of March 2020, tricks regular PC users into opening professionally developed Excel spreadsheets imitating invoices, bank transfers, order tracking details, and similar. According to experts, the spreadsheets can be named as follows:

  • Swift.xlsx
  • Orders.xlsx
  • Invoice For Payment.xlsx
  • Inquiry.xlsx

Each of them launches the cjjjjjjjjjjjjjjjjjjj.exe executable file, which starts exploiting for possibilities to leak saved logins credentials. It has an access to all web browsers, e-mails, remote control servers, and so on. However, it can not only steal data, but also download Jigsaw ransomware virus, which encrypts files with .zemblax file extension. 

In the case of LokiBot and Jigsaw bundle attack, it's very important to disable the drpbx.exe process via Task Manager. Even though Jigsaw ransomware has been cracked down and can be decrypted quite easily, it is programmed to start damaging encrypted files progressively if the victim fails to pay the ransom on time. Thus, terminating the drpbx.exe is the only way to protect files from permanent loss. After that, ensure a full LokiBot removal with a professional anti-virus program. 

Protect yourself from dangerous trojans and other malware

Many users are not that tech-savvy, and cybercrooks are fast to abuse that fact. Thus, they employ various trickery to make victims install malware on their devices. The key here is information, and once you get to know how to protect yourself from viruses, you will not have to deal with the stress they can bring. Security researchers[6] advice to take these precaution steps:

LokiBot banking trojanLokiBot trojan can leak personal data, including logins, passwords, banking information, etc.

  • Never click on links that you are not sure are safe (note: even messages from your friends on social media may be malicious, as it is a case in the Facebook virus)
  • Avoid shady websites and file-sharing (torrent) domains;
  • Download apps only from trusted sources, like Google Play;
  • Beware of spam emails with attachments or hyperlinks;
  • Employ reputable security software.

Eliminate LokiBot virus and keep your credentials safe

If you suspect that a banking Trojan is hiding in your system or if your device was locked and you are accused of child pornography, do not panic and remove Lokibot virus from your device. You will have to eliminate the malware by entering Safe Mode on your machine in the following way:

  1. Press and hold Power button – the Power off the menu should show up;
  2. Then, press and hold Power off;
  3. The Turn on Safe Mode menu should appear;
  4. Press OK and wait for the device to reboot

After you enter safe mode, you have to strip the infected app of its administrative rights and eliminate malware.

If your Windows machine is infected with this cyber threat, you should take of Lokibot removal by following steps below. Do not forget you need to keep your computer protected at all times, so we recommend using anti-malware software with real-time protection feature. 

If this trojan has successfully deployed Jigsaw ransomware payload, then take immediate actions to terminate the ransomware. Otherwise, it may start deleting the files in case the payment is late. You should:

  1. Open Task Manager (Ctrl + Alt + Delete).
  2. Select Task Manager and click on this option.
  3. Look for drpbx.exe, which stands for Jigsaw executable. 
  4. Right-click on it and select End Task

Right after that, restart your PC into Safe Mode with Networking and run a full system scan with a professional anti-malware program as explained below. 

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove Lokibot virus, follow these steps:

Remove Lokibot using Safe Mode with Networking

To get rid of Lokibot virus, enter Safe Mode with Networking in the following way:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Lokibot

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Lokibot removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Lokibot using System Restore

You can also try System Restore to eliminate trojan:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Lokibot. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that Lokibot removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Lokibot and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

Removal guides in other languages

Your opinion regarding Lokibot virus