AVCrypt ransomware tries to uninstall your AV software

Target: Windows Users

Attack Vector: Unknown – assumed popular strategies i.e emails, malvertising, fake software updates.

Summary: AVCrypt is a malicious program that targets anti-virus and security software. The virus drops an empty +HOW_TO_UNLOCK.txt file which is supposedly a ransom note, but it has not been identified as to whether this is a wiper malware or ransomware. A variety of Windows services are attempted to be deleted and the ransom note does not contain any instructions to decrypt the files which could point to it being a wiper malware instead or simply that it is still in development. It is capable of making system changes, deleting files and deleting anti-virus software on the targeted machine. The malicious program specifically targets Windows Defender and Malwarebytes and deletes Windows services in order to stop their proper operation.

Risk assessment summary: The threat can be assessed as 3e MODERATE. If successful, the malware is capable of deleting security software and encrypting files as part of a ransomware attack. It can be destructive to an infected machine, however, at the same time, it does appear to upload the encryption key to a remote server. Instructions or the demand of bitcoin to un-encrypt files is not a part of the ransom note. Therefore, it is not known whether this is a true ransomware that is still in development or a wiper disguised as one.

Leave a Reply

Your email address will not be published. Required fields are marked *