Severity scale:  

Lokibot virus. How to remove? (Uninstall guide)

removal by Jake Doevan - - | Type: Trojans

Lokibot virus – a dangerous banking trojan that can steal sensitive data and even lock up files

Lokibot banking trojan
Lokibot is a banking trojan that can shift into ransomware if the attempt is made to deny its administrative rights

LokiBot is a banking virus[1] that is capable of stealing sensitive data and transferring it to attackers. The malware was discovered by SfyLab (or ThreatFabric currently) security researchers[2] in late 2017. It usually infiltrates devices using malicious phishing emails, which are massively sent by bots employed by hackers or can be downloaded as a fake app from third-party websites. It attacks Android devices only, although another version of the virus can infiltrate Windows machines as well. The most interesting feature of this malware is that it shifts into ransomware as soon as the victim attempts to get rid of the malicious application.

Name LokiBot
Type Banking trojan with ransomware traits
Discovered by SfyLab
Targets Android devices, Windows systems
Distribution Spam email attachments, malicious websites, third-party apps, social media links, etc.
Symptoms Fake messages, pop-ups, fake bank interface, locked up files if termination is implemented
Danger level High. Stolen credentials can lead to money theft or identity fraud
Elimination Eliminate the threat by entering Safe Mode and scanning the device with Reimage or Malwarebytes Anti Malware

The primary goal of cybercriminals is obviously money. Thus, after the device gets infected with the LokiBot virus, users can be presented with a simulated screen that looks identical to online banking one. Victims are unaware of the presence of malware and merely enter their credentials into banking app-look-alike. In the meantime, the virus sends all the information directly to hackers, allowing them to use this sensitive data. 

Additionally, the virus is capable of mimicking other applications, such as Skype, Viber, WhatsApp, and even Outlook. Meaning, that all the data entered using these fake programs will be stolen as well; therefore, you need to be very careful. LokiBot removal should be your top priority. For that, you have to reboot your machine in safe mode, delete malware, and then scan it with Reimage or Malwarebytes Anti Malware to make sure all the traces are gone.

In addition to displaying fake app interface and sending login information to hackers, LokiBot virus that is also capable of the following:

  • Initiating fake notifications that look identical to those from a bank;
  • Making the smartphone vibrate when the messages pop up;
  • Opening the browser and navigating to specific websites;
  • Redirecting user's internet traffic through a proxy server;
  • Sending malicious spam SMS messages to people on the contact list;
  • Replying to incoming messages.

The banking trojan needs to have administrative rights to do all this, which it gains during the installation. Nevertheless, users are unaware of that at the start. Even if the attempt is made to deny admin rights, or if the user tries to remove LokiBot from their device, it instantaneously turns into ransomware[3] type virus.

Culprits earned a fortune from ransom payments

As soon as Lokibot shifts to ransomware, it reboots the device, locks-up the screen and displays a message to users, informing them that their machine was locked due to them viewing child pornography. These screen-locking viruses started appearing in 2010 and infected millions of devices worldwide (probably the most famous one is FBI virus).

Obviously, the claims are fake, and the device is locked by a virus. To redeem the full function of their phone or tablet, users are asked to pay ransom in Bitcoin cryptocurrency which usually ranges between $70 and $100 within 48 hours.

When researchers analyzed  LokiBot's code, they discovered that the ransomware does not lock their files properly. It uses weak encryption and leaves copies of original files under different names, which is relatively easy to recover.

Unfortunately, not all users are aware of that, and they hurry to pay the ransom, as they are scared to lose the access to their device. This way, crooks earned over $1.5 million so far. Nevertheless, because Lokibot malware only costs around $2000 on the Dark Web, it is highly likely that it will continue to be spread by illegal money-craving cybercriminals.

Lokibot virus
Lokibot is malware that seeks to steal credentials from unsuspecting users

Protect yourself from dangerous trojans and other malware

Many users are not that tech-savvy, and cybercrooks are fast to abuse that fact. Thus, they employ various trickery to make victims install malware on their devices. The key here is information, and once you get to know how to protect yourself from viruses, you will not have to deal with the stress they can bring. Security researchers[4] advice to take these precaution steps:

  • Never click on links that you are not sure are safe (note: even messages from your friends on social media may be malicious, as it is a case in the Facebook virus)
  • Avoid shady websites and file-sharing (torrent) domains;
  • Download apps only from trusted sources, like Google Play;
  • Beware of spam emails with attachments or hyperlinks;
  • Employ reputable security software.

Eliminate LokiBot virus and keep your credentials safe

If your device was locked and you are accused of child pornography, do not panic and remove Lokibot virus from your device. You will have to eliminate the malware by entering Safe Mode on your machine in the following way:

  1. Press and hold Power button – the Power off menu should show up;
  2. Then, press and hold Power off;
  3. The Turn on Safe Mode menu should appear;
  4. Press OK and wait for the device to reboot

After you enter safe mode, you have to strip the infected app of its administrative rights and eliminate malware.

If your Windows machine is infected with this cyber threat, you should take of Lokibot removal by following steps below. Do not forget you need to keep your computer protected at all times, so we recommend using anti-malware software with real-time protection feature. 

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Lokibot virus you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Lokibot virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

To remove Lokibot virus, follow these steps:

Remove Lokibot using Safe Mode with Networking

To get rid of Lokibot virus, enter Safe Mode with Networking in the following way:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Lokibot

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Lokibot removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Lokibot using System Restore

You can also try System Restore to eliminate trojan:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Lokibot. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Lokibot removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Lokibot and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions


Removal guides in other languages