Recently, a new Ransomware was discovered, which tries to uninstall security software on victims’ PC. Malware Hunter team first discovered the Ransomware named AVCrypt and later, the same was researched at Bleeping Computer by security professionals.
According to the survey about the AVCrypt malware, it will not only try to remove the existing antivirus products before encrypting computer but will also remove the selected Windows services.
Researches like Lawrence Abrams and Michael Gillespie talk about the Ransomware that it tries to uninstall software in such a way that no one had ever witnessed it before, this marks it as unusual.
The query is all about the actual purpose of the malware, which appears to be Ransomware because of its capabilities but some of its elements appeared to be incomplete. There is a hint of encryption but the absence of true Ransomware note all together with the AVCrypt’s process gets deleted. Possibility is there that the malware might be used as a wiper.
How AVCrypt target the victims, is still blurred. But whenever the malicious code gets implemented on victims’ PC, the malware starts to remove the security software, first by targeting on the Windows Defender and the Malware bytes or before trying to uninstall the programs, they try their best to enquire for other antivirus software.
MBAM Protection, Schedule, Term Service, WPDBusEnum, WinDefend, and MBAM Web Protection are needed to run properly for protecting the windows services, which the Ransomware deletes in order to remove the AV products.
The malware then look for in order to check if any other antivirus software is registered along with the Windows Security Center or not. Then eventually it removes these details through the command line.
However during the tests, the researchers told that the malware fail to delete Emisoft antivirus software, through the technique. It is still unknown whether the deletion of Windows services which hamper the AV protections would go with the other solutions or not.
The wiper features wouldn’t destroy the windows but may cause service degradation. After this stage gets accomplished, the AVCrypt then upgrade an encryption key to TOR location all together, along with the system information and time zone. The malware then go for scanning the files to encrypt and in the process rename them.
The ransome note get saved in the name of “+How_ to_ unlock.txt” and no more contains any decryption instructions or contact information. Instead it contains what it seems to be in the placeholder “lol n” text. It seems that the Ransomware is in the development stage and there is weak link that connects between AVCrypt and the recent attack on Japanese University, whether the malware was responsible or not.
In a recent interview, Microsoft told the publications about the malware that only two samples of the malware got detected and thus the company thinks that AVCrypt is incomplete. The Researchers said that the Ransomware is injurious to an infected system and on the same time uploads the encryption key to remote server. So it isn’t known whether it’s a true Ransomware or a wiper in disguise.
For more updates, stay tuned!! And if you need any Kaspersky support, then feel free to contact Kaspersky Customer Service Number to get expert advice.1-844-378-6296
Ragnar is a professional technical writer who completed Masters of engineering management from Princeton University, US and has been writing for past 11 years. He transforms technical information using a comprehensive and easy approach for all the readers and tech lovers to understand the complexity of respective subject. Covering the area of hardware such as brother printers to software like Kaspersky, Ragnar’s articles help users to clarify their doubts