AVCrypt is a newly uncovered virus, which first attacks Windows operating systems and removes Windows Defender, and then attempts to uninstall third-party antivirus programs. Once it has infiltrated computers, AVCrypt encrypts files, without providing a decryption key. While not yet complete, this virus poses a serious threat to all PC users and to undefended organizations. Installing a comprehensive antivirus suite, which cannot be removed without proper authorization, together with smart computing practices can protect your computer systems from this malicious attack.
Table of Contents
Credit: Shutterstock
A New and Serious Threat
Malware experts MalwareHunterTeam.com have discovered a new and potentially crippling malware, dubbed AVCrypt, because of the av2018.exe file which executes the virus. Security experts Lawrence Abrams and Michael Gillespie, of BleepingComputer.com, have thoroughly researched this new threat, and have determined that this virus is not yet complete, as it displays an alert before it starts, and a number of debug messages currently exist.
This virus has been deemed particularly dangerous as it uninstalls certain antivirus programs, alters Windows operating systems, and encrypts computer files. This article provides an overview of this new and serious threat, as well as good computing practices to protect your systems from this malware.
AVCrypt may be a Wiper
Currently, AVCrypt acts like a ransomware, encrypting user files. Typically ransomware includes a “how to unlock” file uploaded to the infected computer, which is a ransom note demanding payment in exchange for instructions on how to restore encrypted files. The AVCrypt “how to unlock” file, found in each folder in which it encrypted files, simply says “lol n” when opened, with no instructions on how to restore files.
It is unclear whether the current ransom note is a placeholder, and the ransom note will appear in future versions in this place, or if the finished version of this malware will be a “wiper” which wipes the infected computer’s hard drive, as currently no ransom note is included.
It Uninstalls Windows Defender
Not only does AVCrypt encrypt files without a means of restoration, it also attacks the computer systems. It detects and attempts to remove installed antivirus programs, primarily Windows Defender and Malwarebytes. Windows Defender is the default antivirus software for Windows, which comes preinstalled Windows-run PCs, running in the background to discover malware.
When AVCrypt attacks it deletes Windows services which are required to run Defender leaving the operating system unstable. It aborts a shutdown sequence, so that users cannot save themselves by trying to close the system. It next sends a query to Windows Security Center in order to see if an antivirus program is registered. Via the Windows Management Instrumentation Command-line (WMIC) utility, it attempts to remove antivirus programs. If successful, the computer is rendered unprotected and the ransomware is able to attack.
Following PC infiltration, AVCrypt uploads an encryption key to a TOR (The Onion Router, an anonymous remote router) location, as well as the time zone and Windows version of the victim. It remains dormant for a certain period, and then, at some point, connects to a command and control server, and begins execution of the virus. Once executed, it begins to encrypt computer files, changing their names, by adding a “+” symbol to the file name.
Once encryption is complete, the virus executes a batch file which performs a cleanup of the dropped files, clears even logs, terminates the malicious process and deletes its entry for the Autorun registry settings. Decryption requires a unique key, which as of yet has not been provided.
How Does AVCrypt Infect Computers?
Ransomware viruses infect computers in various ways. In some cases, they are attached to a spam email. When users click on the attachment, which is typically a JavaScript or MS Office file, the attachment executes a script which downloads and installs the malware. Additionally, sources of infection include peer-to-peer networks, 3rd party software download sites, often those which offer freeware, and software update links. Once pressed these links or programs execute the malware installation.
AVCrypt likely infects computers via a malicious email attachment, though as only two cases of this virus have been documented, it is possible that other modes of infection may be used in the future, once virus development is complete.
Protect yourself from AVCrypt and other Virus Threats
Malware which uninstalls anti-virus software is an obvious cause for concern, with the importance of discovering and blocking such malware before they execute is clear. As AVCrypt does not provide a decryption key as of yet, and as most cybercriminals do not actually provide this key, even if a ransom is paid, the only way to recover lost data at present is by restoring from a backup.
As AVCrypt first and foremost attacks the Windows operating system and uninstalls Windows Defender and Malwarebytes, it is apparent that these programs alone cannot offer the level of security needed to protect PCs. While AVCrypt attempts to uninstall alternate antivirus programs, its chances of success are slim, as most include countermeasures against unauthorized removal.
Always deploy safe computing practices, in order to protect yourself from malicious viruses such as AVCrypt. These practices include:
- Choose a comprehensive antivirus program – it is important to research available antivirus software, installing a suite which cannot be removed by an unauthorized source and offers robust coverage.
- Keep antivirus programs up to date – Make sure to keep this software current, installing updates when available in order to protect yourself against new threats, such as AVCrypt.
- Use dependable email providers – leading emails providers, such as Google and Microsoft, filter out phishing emails, decreasing the chances of infection via dangerous attachment. Make sure your email provider offers this level of coverage.
- Be responsible –Adult content sites, file sharing sites free movie streaming sites, and more, are known to be dangerous, using phishing to get users to click on malware links. Never click on links which you are unsure of, such as found on advertisements on these sites.
- Perform periodic backups – as ransomware sites encrypt files, it is highly recommended to regularly back up files or subscribe to an online backup service,
Conclusion
AVCrypt is possibly the newest known malware threat. It is particularly dangerous as it eradicates the preinstalled Windows antivirus program, Defender, while simultaneously making changes in the operating system.
Smart users should protect themselves by installing robust antivirus suites which include coverage for this virus, offer periodic updates for protection against new threats, and cannot be uninstalled without authorization. Additional modes of defense include opting for secure email providers, safe browsing practices and maintaining computer backups. While this malware is likely the most serious threat today, it is unlikely to be last.
