AVCrypt is the name (after a sample named av2018.exe) of a new ransomware that displays a rather unique behavior. The ransomware attempts to uninstall whatever anti-virus and security programs are present on the targeted system.
|Short Description||The ransomware aims to delete AV products on the targeted system, alongside some other system services.|
|Symptoms||After the first stage of the attack is finished, AVCrypt will upload an encryption key, some system details and time zone to a Tor location.|
|Distribution Method||Currently unknown.|
See If Your System Has Been Affected by malware
Malware Removal Tool
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Not only does AVCrypt attempt this but it also removes Windows Update and some services crucial to the Windows operating system. What is mostly intriguing is that the ransomware does not give any contact information which has led researchers to believe it may be in fact a wiper malware.
Analysis of AVCrypt which was first spotted by researcher Michael Gillespie shows that the alleged ransomware goes for removing existing antivirus programs on the system as well as several crucial Windows services. These activities are performed in a manner that hasn’t been recorded previously, at least to the knowledge of researchers.
AVCrypt – Ransomware, Wiper, or Something Else?
What the exact purpose of this malware truly is remains unknown. However, due to some of its capabilities researchers assumed it is indeed ransomware. There are indeed signs of encryption capabilities but they are somehow undeveloped. On top of that, no ransom note is present. The malware may be pretending to be ransomware but in fact it may be a piece of wiper or something even worse.
Currently, the distribution methods used by AVCrypt remain unclear.
To remove the antivirus programs, it will first remove Windows services needed for protection services to run, such as Schedule, WinDefend, and several others. Then, it checks if antivirus products are registered via Windows Security Center. Finally, it will delete any such details with the help of the command line.
As for the wiper functionalities, they don’t entirely demolish Windows but are more likely to cause degradation of services.
After the first stage of the attack is finished, the malware will upload an encryption key, some system details and time zone to a Tor location. Finally, it will scan for files to encrypt and will rename them accordingly. As mentioned earlier, no instructions on decryption or any other information is present in the ransom note which is saved as “+HOW_TO_UNLOCK.txt”.
To summarize – after analyzing AVCrypt’s behavior so far, the researchers believe that is not yet complete, and is in a development stage. According to Microsoft, only two samples of the threat have been detected.