AVCrypt is a new malware which may be a wiper or ransomware. AVCrypt has been observed targeting Anti Virus (AV) software.
The malware delivers a text file which contains a suspected ransom note. This file [+HOW_TO_UNLOCK.txt] contains only the text ‘lol n’ – there are no demands.
AVCrypt aims to delete Windows services to corrupt the operation of the system. The malware is capable of making system changes such as encrypting or deleting files and attempting to remove AV on targeted machines.
AV Crypt will sit stationary for a short time period after the initial infection allowing access to an integrated TOR client, this accesses bxp44w3qwwrmuupc[.]onion, a C2 server. At this point the attempted removal of security software is seen.
The malware is seen to scan and encrypt the device’s documents adding a ‘+’ to the beginning of the file name – e.g. ‘Cake Recipe’ goes to ‘+Cake Recipe’.
- Microsoft Windows – all versions
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.