A new guy ransomware it tries to uninstall the security software you use before it attacks. The ransomware was named AVCrypt, and was first discovered by MalwareHunterTeam. Later it was analyzed by security professionals Bleeping Computer.
According to a malware analysis, AVCrypt tries not only to remove existing protection products before encrypting a computer but also deletes some of the Windows services.
Researchers Lawrence Abrams and Michael Gillespie states that the ransomware "attempts to uninstall software in a way we've never seen before," which makes the malware quite unusual.
The real purpose of the malware - which appears to be ransomware because of its capabilities - is also questionable, as some of the components appear to be underdeveloped.
There are elements that can encrypt the disk, but there is no note asking for a ransom. There seems to be a process that allows data to be deleted and according to the researchers it is very likely that malware can also be used as a wiper.
It is not yet known exactly how AVCrypt works, however, the first thing it does on a victim's computer is to remove security software, targeting in turn applications Windows Defender, Malwarebytes and more.
In order to remove security products, ransomware deletes Windows services required for their proper operation, such as MBAMProtection, Schedule, TermService, WPDBusEnum, WinDefend, and MBAMWebProtection.
Once this stage is complete, AVCrypt uploads an encryption key to a TOR page along with system information and time zone. The malicious program it starts scanning the files for encryption, renaming them at the same time.
The ransom note stored as "+ HOW_TO_UNLOCK.txt" does not contain any decryption instructions or contact information. Instead, there is a simple "lol n".
As it appears, ransomware is still in development.
Microsoft said it has detected only two samples of this malware and believes AVCrypt is not yet complete.
- TLS 1.3 official adoption of the new IETF security protocol
- Acronis Ransomware Protection for free and with absolute security