AVCrypt the ransomware that before hitting deletes the antivirus

A new guy it tries to uninstall the security software you use before it attacks. The ransomware was named AVCrypt, and was first discovered by MalwareHunterTeam. Later it was analyzed by security professionals Bleeping Computer.

According to a malware analysis, AVCrypt tries not only to remove existing protection products before encrypting a computer but also deletes some of the Windows services.AVCrypt

Researchers Lawrence Abrams and Gillespie states that the ransomware "attempts to uninstall software in a way we've never seen before," which makes the malware quite unusual.

The real purpose of the malware - which appears to be ransomware because of its capabilities - is also questionable, as some of the components appear to be underdeveloped.

There are elements that can encrypt the disk, but there is no note asking for a ransom. There seems to be a process that allows data to be deleted and according to the researchers it is very likely that malware can also be used as a wiper.

It is not yet known exactly how AVCrypt works, however, the first thing it does on a victim's computer is to remove security software, targeting in turn , Malwarebytes and more.

In order to remove security products, ransomware deletes Windows services required for their proper operation, such as MBAMProtection, Schedule, TermService, WPDBusEnum, WinDefend, and MBAMWebProtection.

Once this stage is complete, AVCrypt uploads an encryption key to a TOR page along with system information and time zone. The malicious it starts scanning the files for encryption, renaming them at the same time.

The ransom note stored as "+ HOW_TO_UNLOCK.txt" does not contain any decryption instructions or contact information. Instead, there is a simple "lol n".

As it appears, ransomware is still in development.

Microsoft said it has detected only two samples of this malware and believes AVCrypt is not yet complete.

 

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).