A new type of ransomware tries to uninstall security software that useste before attacking. The ransomware was named AVCrypt, and was first discovered by MalwareHunterTeam. Later it was analyzed by security professionals Bleeping Computer.
According to a malware analysis, AVCrypt tries not only to remove existing protection products before encrypting a computer but also deletes some of the Windows services.
Researchers Lawrence Abrams and Michael Gillespie report that ransomware "tries to uninstall software in a way we have never seen before", which makes malware quite unusual.
The real purpose of the malware - which appears to be ransomware because of its capabilities - is also questionable, as some of the components appear to be underdeveloped.
There are elements that can encrypt the disk, but there is no note asking for a ransom. There seems to be a process that allows data to be deleted and according to the researchers it is very likely that malware can also be used as a wiper.
The exact way AVCrypt works is not yet known, however, the first thing it does on the victim's computer is to remove security software by targeting Windows Defender, Malwarebytes, and more.
In order to remove security products, ransomware deletes Windows services required for their proper operation, such as MBAMProtection, Schedule, TermService, WPDBusEnum, WinDefend, and MBAMWebProtection.
Once this stage is complete, AVCrypt uploads an encryption key to a TOR page along with the information system and time zone. The malware starts scanning files for encryption, renaming them in parallel.
The ransom note stored as "+ HOW_TO_UNLOCK.txt" does not contain any decryption instructions or contact information. Instead, there is a simple "lol n".
As it appears, ransomware is still in development.
Microsoft said it has detected only two samples of this malware and believes AVCrypt is not yet complete.
- TLS 1.3 official adoption of the new IETF security protocol
- Acronis Ransomware Protection for free and with absolute security