A new type of ransomware tries to uninstall the security software you use before attacking. The ransomware was named AVCrypt, and was first discovered by MalwareHunterTeam. Later it was analyzed by security professionals Bleeping Computer.
According to one analysis of maliciousy software, AVCrypt not only tries to remove existing protection products before encrypting a computer, but also deletes some of the Windows services.
Researchers Lawrence Abrams and Michael Gillespie report that ransomware "tries to uninstall software in a way we've never seen before," which makes the malware quite unusual.
The real purpose of the malware - which appears to be ransomware because of its capabilities - is also questionable, as some of the components appear to be underdeveloped.
There are elements that can encrypt the drive, but there is no ransom note. There also seems to be an enabling process deletion data and according to the researchers it is very possible that the malware can also be used as a wiper.
It is not yet known exactly how AVCrypt works, however, the first thing it does on a victim's computer is to remove security software, targeting in turn applications Windows Defender, Malwarebytes and more.
In order to remove security products, ransomware deletes Windows services required for their proper operation, such as MBAMProtection, Schedule, TermService, WPDBusEnum, WinDefend, and MBAMWebProtection.
Once this stage is complete, AVCrypt uploads an encryption key to a TOR page along with system information and time zone. The malware program starts scanning files for encryption, renaming them in parallel.
The ransom note stored as "+ HOW_TO_UNLOCK.txt" does not contain any decryption instructions or contact information. Instead, there is a simple "lol n".
As it appears, ransomware is still in development.
Microsoft said it has detected only two samples of this malware and believes AVCrypt is not yet complete.
- TLS 1.3 official adoption of the new IETF security protocol
- Acronis Ransomware Protection for free and with absolute security