AVCrypt Ransomware

AVCrypt is a new malware which may be a wiper or ransomware. AVCrypt has been observed targeting Anti Virus (AV) software.

The malware delivers a text file which contains a suspected ransom note. This file [+HOW_TO_UNLOCK.txt] contains only the text ‘lol n’ – there are no demands.

AVCrypt aims to delete Windows services to corrupt the operation of the system. The malware is capable of making system changes such as encrypting or deleting files and attempting to remove AV on targeted machines.

AV Crypt will sit stationary for a short time period after the initial infection allowing access to an integrated TOR client, this accesses bxp44w3qwwrmuupc[.]onion, a C2 server. At this point the attempted removal of security software is seen.

The malware is seen to scan and encrypt the device’s documents adding a ‘+’ to the beginning of the file name – e.g. ‘Cake Recipe’ goes to ‘+Cake Recipe’.

Affected Platforms

  • Microsoft Windows – all versions

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:

Notice: ob_end_flush(): failed to send buffer of zlib output compression (0) in /home/systemte/public_html/wp-includes/functions.php on line 4339