AVCrypt Ransomware | Uninstall Your AV Software

EP0c0gEuXMw/default.jpg

Welcome to penetration testing channel...

The AVCrypt Ransomware Tries To Uninstall Your AV Software.

A new ransomware named AVCrypt has been discovered that tries to uninstall existing security software before it encrypts a computer. Furthermore, as it removes numerous services, including Windows Update, and provides no contact information, this ransomware may be a wiper.

After analysis by MalwareHunterTeam, who discovered the ransomware, myself, and Michael Gillespie, it was decided to name this ransomware AVCrypt as the sample file names are av2018.exe. The developer, though, may be naming it LOL based on some of the debug messages found in the ransomware samples.

AVCrypt tries to uninstall your security software:
As already stated, when AVCrypt runs it will attempt to remove installed security software from the victim's computer. It does this in two ways; by specifically targeting Windows Defender and Malwarebytes and by querying for installed AV software and then attempting to remove them.

Wiper or In-dev Ransomware?
At this point, it is not clear whether AVCrypt is an in development ransomware or a wiper as there are characteristics that can lead to either categorization.

While Windows will continue to function after these services are deleted, there will likely be issues in the proper operation of Windows.

Furthermore, the ransom notes created by the ransomware do not provide any contact information. They just simply state "lol n".

At the same time, this infection does upload the encryption key to a remote TOR site and the contents of the note could simply be a placeholder. Furthermore, when executing the ransomware it displays a alert before it starts and there are numerous debug messages, so it could very well be just an in development ransomware.

Microsoft has told BleepingComputer that they have only detected two samples of this ransomware, with of them possibly being my computer, so they feel that this infection is currently in development. Microsoft is currently detecting it as Ransom:Win32/Pactelung.A.

AVCrypt Encryption Process:
When AVCrypt is executed it will sit idle for a brief period, extract an embedded TOR client, and connect to the bxp44w3qwwrmuupc.onion command & control server where it will transmit the encryption key, timezone, and Windows version of the victim. There appears to be an error in this transmission, as it appends other content from memory as part of the key.

It will then attempt to remove various security programs as described in the previous sections. It will then scan for files to encrypt, and when it encrypts a file, will rename it to the +[original_name]. For example, a file called test.jpg would be encrypted and then renamed to +test.jpg.

Source: https://www.bleepingcomputer.com/news...

Do you enjoy the content on this channel? YouTube ad revenue is virtually non-existent so please consider funding Penetration Testing via Patreon:
https://www.patreon.com/penetrationte...

Facebook Page: https://www.facebook.com/kaliforensics

Pinterest: https://www.pinterest.com/penetration...

Instagram: https://www.instagram.com/penetration...

Google+: https://plus.google.com/b/10053333383...

Thanks For Watching....

Like Share & Subscribe.....

EP0c0gEuXMw/default.jpg
AVCrypt Ransomware | Uninstall Your AV Software AVCrypt Ransomware | Uninstall Your AV Software Reviewed by Anonymous on March 29, 2018 Rating: 5