The AVCrypt Ransomware Tries To Uninstall Your AV Software

encrypted-files-2Larry Abrams at Bleepingcomputer reported this strain first: "A new ransomware named AVCrypt has been discovered that tries to uninstall existing security software before it encrypts a computer.  Furthermore, as it removes numerous services, including Windows Update, and provides no contact info, this ransomware may be a wiper.

This ransomware is quite destructive to an infected computer, yet at the same time does appear to upload the encryption key to a remote server. Therefore, it is not known whether this is a true ransomware or a wiper disguised as one.

After analysis by MalwareHunterTeam, who discovered the ransomware, myself, and Michael Gillespie, it was decided to name this ransomware AVCrypt as the sample file names are av2018.exe. The developer, though, may be naming it LOL based on some of the debug messages found in the ransomware samples."

AVCrypt tries to uninstall your security software

As already stated, when AVCrypt runs it will attempt to remove installed security software from the victim's computer. It does this in two ways; by specifically targeting Windows Defender and Malwarebytes and by querying for installed AV software and then attempting to remove them.

First AVCrypt will delete Windows services required for the proper operation of Malwarebytes and Windows Defender. It then queries to see what AV software is registered with Windows Security Center and attempts to delete it via WMIC.

Wiper or Still In Development Ransomware?

At this point, it is not clear whether AVCrypt is an in development ransomware or a wiper as there are characteristics that can lead to either categorization. On the wiper side, this ransomware attempts to delete a variety of Windows services when started.

More technical background at bleepingcomputer.

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews