Win32/Spy.Ranbyus
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 90 % (High) |
Infected Computers: | 13 |
First Seen: | December 28, 2012 |
Last Seen: | May 26, 2022 |
OS(es) Affected: | Windows |
Win32/Spy.Ranbyus is a dangerous malware family that is being used to steal banking information. Win32/Spy.Ranbyus is being used to modify Java code in Remote Banking Systems located in Ukraine. Win32/Spy.Ranbyus is considered especially dangerous because of its abilities to outsmart a smartcard functionality in modern banking systems. Win32/Spy.Ranbyus contains components that allow Win32/Spy.Ranbyus to bypass authentication processes involved in banking transactions involving smartcard devices. Some of the latest variants of Win32/Spy.Ranbyus can modify Java code used in remote banking systems, including iBank 2, Ukraine's most popular remote banking system. Although Win32/Spy.Ranbyus infections have been observed outside of Ukraine, ESG malware analysts have observed that the great majority of Win32/Spy.Ranbyus infections are concentrated in this country.
While other banking Trojans use web injection in order to intercept and modify their victim's online banking transactions, Win32/Spy.Ranbyus instead is designed to attack banking and payment software directly. Win32/Spy.Ranbyus will first steal information from the infected computer. Then, Win32/Spy.Ranbyus is used to steal forms from certain Java software used in these kinds of banking systems. Doing this, criminals can gain access to online banking passwords and account numbers, credit card information and other information.
What Makes the Win32/Spy.Ranbyus Trojan Different from Other, Similar Banking Trojans?
These kinds of attacks themselves are not particularly new. Known as Java patching, this technique is also used by other banking Trojan families, including Carberp (another infamous banking Trojan family that can modify Java code and banking software. However, Win32/Spy.Ranbyus can affect the java code directly, bypassing the Java Virtual Machine. This is important because Win32/Spy.Ranbyus can be used to modify information on the affected statement, such as account balance, which can then allow criminals to hide their tracks. ESG security researchers have also observed that Win32/Spy.Ranbyus can block the activities of the remote banking system entirely. In its place, Win32/Spy.Ranbyus will cause a message written in Russian to appear. The translation of this message is:
'Technical work is being performed on the server, and the service may be temporarily unavailable. We apologize for the inconvenience'.
Today, Win32/Spy.Ranbyus is poised to become the inspiration for numerous copycat banking malware infections outside of Ukraine. Win32/Spy.Ranbyus is already the top banking Trojan infection in this country. To protect your computer from Win32/Spy.Ranbyus attacks, ESG malware analysts encourage using a reliable anti-malware program, online safety procedures and extra security measures when conducting online banking or other sensitive online activities.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.