Home > Ransomware > AVCrypt (av2018.exe) – Ransomware or Wiper Malware?

AVCrypt (av2018.exe) – Ransomware or Wiper Malware?

AVCrypt is the name (after a sample named av2018.exe) of a new ransomware that displays a rather unique behavior. The ransomware attempts to uninstall whatever anti-virus and security programs are present on the targeted system.

Threat Summary

Name AVCrypt
Type Ransomware, Wiper
Short Description The ransomware aims to delete AV products on the targeted system, alongside some other system services.
Symptoms After the first stage of the attack is finished, AVCrypt will upload an encryption key, some system details and time zone to a Tor location.
Distribution Method Currently unknown.
Detection Tool See If Your System Has Been Affected by malware


Malware Removal Tool

Data Recovery Tool Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Not only does AVCrypt attempt this but it also removes Windows Update and some services crucial to the Windows operating system. What is mostly intriguing is that the ransomware does not give any contact information which has led researchers to believe it may be in fact a wiper malware.

Analysis of AVCrypt which was first spotted by researcher Michael Gillespie shows that the alleged ransomware goes for removing existing antivirus programs on the system as well as several crucial Windows services. These activities are performed in a manner that hasn’t been recorded previously, at least to the knowledge of researchers.

AVCrypt – Ransomware, Wiper, or Something Else?

What the exact purpose of this malware truly is remains unknown. However, due to some of its capabilities researchers assumed it is indeed ransomware. There are indeed signs of encryption capabilities but they are somehow undeveloped. On top of that, no ransom note is present. The malware may be pretending to be ransomware but in fact it may be a piece of wiper or something even worse.

Currently, the distribution methods used by AVCrypt remain unclear.

To remove the antivirus programs, it will first remove Windows services needed for protection services to run, such as Schedule, WinDefend, and several others. Then, it checks if antivirus products are registered via Windows Security Center. Finally, it will delete any such details with the help of the command line.

Related Story: StoneDrill, Shamoon 2.0: Wiper Malware Getting Better

As for the wiper functionalities, they don’t entirely demolish Windows but are more likely to cause degradation of services.

After the first stage of the attack is finished, the malware will upload an encryption key, some system details and time zone to a Tor location. Finally, it will scan for files to encrypt and will rename them accordingly. As mentioned earlier, no instructions on decryption or any other information is present in the ransom note which is saved as “+HOW_TO_UNLOCK.txt”.

To summarize – after analyzing AVCrypt’s behavior so far, the researchers believe that is not yet complete, and is in a development stage. According to Microsoft, only two samples of the threat have been detected.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share