A new ransomware virus called Floki has appeared which is capable of stealing financial information like credit card data and login information for financial websites such as a user’s bank. Floki Bot “tricks” the computer user into providing the information by presentation of a “fake” website which looks precisely like the real thing or by enticing user to download and execute code represented as an update for installed software. In reality, the download is the virus. Floki is targeting Point-of-Sale (PoS) Systems as well as average computer users.
Floki Bot used source code of the Zeus Trojan as a starting point then added its own versions of segments of the code. Users may become aware of the infection when presented with a ransom note display saying that if the user pays a fee encryption will be removed from segments of the hard drive which have been modified. One should never pay the ransom because the responsible party will take your money but they will not remove the encryption. In many situations, the infection is “silent” without the computer user knowing that the infection is in place unless strange extension names such as. vvv,. ccc are noticed on system programs. Extensions are the portion of a file name following the period such as name.docx for Word documents. At times the only indications of its presence is user’s system becoming slow and unresponsive or behaving strangely. Strange behavior includes things like a user attempting to open a word document only to find that they have entered an Excel file.
The most important concept is to stop using your computer, once you think the infection may exist, and contacting your IT service provider like Friendly Computers if you use the ultimate computer service provider. Continuing use increases the probability of additional damage occurring. Floki infections are “nasty” and a simple virus scan using your Antivirus program will not remove the culprit. A common misconception about Antivirus programs is that they protect the user by removing infections. While that does occur in some cases, the primary focus of computer antivirus program is preventing – not removing – infections. When the user was enticed to download, and install “fake” software updates, the Antivirus program was “bypassed”. Removal of Floki requires special equipment and software. Many service providers will offer to solve the problem by reloading the computer while losing all customer data. That approach does become necessary at times at Friendly but we almost never propose a reload as the best approach for recovering from something like Floki. Now if the virus has been active long enough for it to actually encrypt a portion of users’ operating system, the only solution might be a reload.
What is Floki?
Floki is a Trojan. “A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users’ systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems.” In simple English, the computer user is enticed to download and execute code necessary for the infection to become established on the system. Suggesting that an update is available for well-known software installed on the system is a popular approach for gaining entry. Floki bot’s ability to grab credit card information using memory hooks is unique. Due to these capabilities, Floki bot asserts that the malware in its current state can be used to infect PoS terminals with the ultimate goal of exfiltrating credit card data during card-present transactions.
What was its Birthday?
During September of 2016, Floki virus was first advertised named “Floki Bot,” on a top-tier Russian cybercriminal forum where it was offered for sale for $1000 US currency. The purpose of Floki is stealing financial information and is most effective on Point of Sale systems simply because of the wealth of information available in a single location. Rather than stealing financial information, such as Credit Card data, for one or two users of a home computer, sometimes thousands of versions may be extracted on the POS systems.
Network World provides additional information about Floki Bot, stating, “Floki Bot is based on the same codebase that was used by the infamous Zeus trojan, the source code of which was leaked in 2011. Rather than simply copying the features that were present within the Zeus trojan ‘as-is’, Floki Bot claims to feature several new capabilities making it an attractive tool for criminals.”
Read the Network World article here: Zeus Spawn Floki Bot
How Can I Protect Myself
Simply be cautious. When a message is received instructing you to download and install an “update”, do NOT proceed without some investigation. The first thing to check is whether the program being updated is even installed on your computer. By going to the Control Panel and double clicking “Programs and Features”, you can see a list of all installed program on your machine. If you are asked to download and install an update for ImgBurn for example, but you don’t see that name on the list of programs, simply forgo the update. Sometimes legitimate updating is suggested for a program you do have installed. Not sure? Call Friendly Computers to ask! 281-554-5500.
Always question whether a proposed update is really important. Wouldn’t you be in a far better position if you never installed a program update than to proceed with an update without taking the effort to ensure that it is as represented and end up with an infected system? This statement is especially true if you are not experiencing any difficulties with the software installed. Many times updates eliminates obscure program options which you have never and probably will never use.
Summarizing, always double check before proceeding with any suggested downloads and if you suspect that your system has been infected bring it to us or schedule a call without using your computer during the interim. Never pay any ransom no matter how small because you will NOT receive the promised code for undoing damage to your system. Even if the paying approach worked, and it will not, the infection would still be on your system.
If you suspect the Floki Bot has attacked your system or stolen financial information, or if you just need help with other types of viruses and malware, give us a call today. Friendly Computers has removed hundreds of thousands of viruses, trojans, ransomware, and other malware. Call now: 281-554-5500.