AVCrypt (av2018.exe) - Ransomware or Wiper Malware?
THREAT REMOVAL

AVCrypt (av2018.exe) – Ransomware or Wiper Malware?

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by AVCrypt and other threats.
Threats such as AVCrypt may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

AVCrypt is the name (after a sample named av2018.exe) of a new ransomware that displays a rather unique behavior. The ransomware attempts to uninstall whatever anti-virus and security programs are present on the targeted system.

Threat Summary

NameAVCrypt
TypeRansomware, Wiper
Short DescriptionThe ransomware aims to delete AV products on the targeted system, alongside some other system services.
SymptomsAfter the first stage of the attack is finished, AVCrypt will upload an encryption key, some system details and time zone to a Tor location.
Distribution MethodCurrently unknown.
Detection Tool See If Your System Has Been Affected by AVCrypt

Download

Malware Removal Tool

Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Not only does AVCrypt attempt this but it also removes Windows Update and some services crucial to the Windows operating system. What is mostly intriguing is that the ransomware does not give any contact information which has led researchers to believe it may be in fact a wiper malware.

Analysis of AVCrypt which was first spotted by researcher Michael Gillespie shows that the alleged ransomware goes for removing existing antivirus programs on the system as well as several crucial Windows services. These activities are performed in a manner that hasn’t been recorded previously, at least to the knowledge of researchers.

AVCrypt – Ransomware, Wiper, or Something Else?

What the exact purpose of this malware truly is remains unknown. However, due to some of its capabilities researchers assumed it is indeed ransomware. There are indeed signs of encryption capabilities but they are somehow undeveloped. On top of that, no ransom note is present. The malware may be pretending to be ransomware but in fact it may be a piece of wiper or something even worse.

Currently, the distribution methods used by AVCrypt remain unclear.

To remove the antivirus programs, it will first remove Windows services needed for protection services to run, such as Schedule, WinDefend, and several others. Then, it checks if antivirus products are registered via Windows Security Center. Finally, it will delete any such details with the help of the command line.

Related Story: StoneDrill, Shamoon 2.0: Wiper Malware Getting Better

As for the wiper functionalities, they don’t entirely demolish Windows but are more likely to cause degradation of services.

After the first stage of the attack is finished, the malware will upload an encryption key, some system details and time zone to a Tor location. Finally, it will scan for files to encrypt and will rename them accordingly. As mentioned earlier, no instructions on decryption or any other information is present in the ransom note which is saved as “+HOW_TO_UNLOCK.txt”.

To summarize – after analyzing AVCrypt’s behavior so far, the researchers believe that is not yet complete, and is in a development stage. According to Microsoft, only two samples of the threat have been detected.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...