Also known as: Snifula, Gozi, CRM, Gozi CRM, Papras
Category: Malware
Type: Spyware, banking trojan
Platforms: Windows
Variants:
Damage potential: Stolen credentials, fraudulent transactions, financial loss, future payloads
Overview
Ursnif is a multi-faceted malware that steals sensitive information from infected devices. First detected in 2000, Ursnif is one of the oldest malware families and has evolved in its information stealing and evasion capabilities ever since. Recent versions of Ursnif can collect credentials from browsers and email services, use these credentials to access bank accounts, and make transactions.
Possible symptoms
The symptoms of an Ursnif infection may vary, but here are some indicators to watch out for:
- Unauthorized activity in online accounts.
- Unfamiliar changes in system settings.
- Suspicious files or unfamiliar processes running in task directories.
- Slower system performance.
Sources of the infection
Ursnif typically spreads through malicious attachments in phishing emails and drive-by (unintentional) downloads from compromised websites. In other cases, removable media such as USB drives and external hard drives can be a source of infection.
Protection
Being cautious online reduces the risk of an Ursnif infection.
- Do not open links or attachments in suspicious emails.
- Block malware-infected websites and scan downloaded files for viruses with NordVPN’s Threat Protection Pro.
- Scan removable media for malware (e.g., USB drives) before using.
- Install reputable antivirus software and keep it updated.
- Use a password manager to create strong passwords and store them securely.
- Enable multi-factor authentication (MFA) for online banking and cryptocurrency accounts.
Removal
Follow these steps to get rid of Ursnif using antivirus software:
- Disconnect the infected device from the internet.
- Boot into safe mode and run a full system scan.
- Follow your software’s instructions to isolate and remove Ursnif.
- Change passwords for online financial services.
- Monitor your accounts for suspicious activity.
- Get help from a cybersecurity expert if you’re not sure about how to perform a complete removal.