A new type of ransomware tries to uninstall the security software you use before attacking. The ransomware was named AVCrypt, and was first discovered by MalwareHunterTeam. Later it was analyzed by security professionals Bleeping Computer.
According to an analysis of the malware, AVCrypt tries not only to remove τα υπάρχοντα προϊόντα protections before it encrypts a computer, but it also deletes some of the Windows services.
Researchers Lawrence Abrams and Michael Gillespie report that ransomware "tries to uninstall software in a way we have never seen before", which makes malware quite unusual.
The actual purpose of the malware – which appears to be ransomware due to its capabilities – is also questionable, as some of the data they seem not to be fully developed.
There are elements that can encrypt the disk, but there is no note asking for a ransom. There seems to be a process that allows data to be deleted and according to the researchers it is very likely that malware can also be used as a wiper.
The exact way AVCrypt works is not yet known, however, the first thing it does on the victim's computer is to remove security software by targeting Windows Defender, Malwarebytes, and more.
In order to remove security products, ransomware deletes Windows services that are required for them to function properly mode, such as MBAMProtection, Schedule, TermService, WPDBusEnum, WinDefend, and MBAMWebProtection.
Once this stage is complete, AVCrypt uploads an encryption key to a σελίδα of TOR along with system information and time zone. The malware starts scanning files for encryption, renaming them in parallel.
The ransom note stored as "+ HOW_TO_UNLOCK.txt" does not contain any decryption instructions or contact information. Instead, there is a simple "lol n".
As it appears, ransomware is still in development.
Microsoft said it has detected only two samples of this malware and believes AVCrypt is not yet complete.
- TLS 1.3 official adoption of the new IETF security protocol
- Acronis Ransomware Protection for free and with absolute security
