AVCrypt is a ransomware that was discovered by Lawrence Abrams and Michael Gillespie.
AVCrypt is distributed by spam emails, peer-to-peer [P2P] networks, third party software download sources, fake software update tools, and trojans.
When AVCrypt is executed, it will sit idle for a brief period, extract an embedded TOR client, and connect to the bxp44w3qwwrmuupc.onion command & control server where it will transmit the encryption key, timezone, and Windows version of the victim. There appears to be an error in this transmission, as it appends other content from memory as part of the key.
AVCrypt will then attempt to remove installed security software from the victim's computer. It does this in two ways; by specifically targeting Windows Defender and Malwarebytes and by querying for installed AV software and then attempting to remove them.
AVCrypt will then delete Windows services required for the proper operation of Malwarebytes and Windows Defender. AVCrypt Deletes the following formats:
MBAMService MBAMSwissArmy MBAMChameleon MBAMWebProtection MBAMFarflt ESProtectionDriver MBAMProtection Schedule WPDBusEnum TermService SDRSVC RasMan PcaSvc MsMpSvc SharedAccess wscsvc srservice VSS swprv WerSvc MpsSvc WinDefend wuauserv
It does this using a command like the following format:
cmd.exe /C sc config "MBAMService" start= disabled & sc stop "MBAMService" & sc delete "MBAMService";
It then queries to see what AV software is registered with Windows Security Center and attempts to delete it via WMIC.
cmd.exe /C wmic product where ( Vendor like "%Emsisoft%" ) call uninstall /nointeractive & shutdown /a & shutdown /a & shutdown /a;
The above command, though, was not able to uninstall Emsisoft in this manner. It is unknown if it would work with other AV software.
While Windows will continue to function after these services are deleted, there will likely be issues in the proper operation of Windows.
It will then scan for files to encrypt, and when it encrypts a file, will rename it to the +[original_name]. For example, a file called test.jpg would be encrypted and then renamed to +test.jpg. In each folder that a file is encrypted, it will also create a ransom note named +HOW_TO_UNLOCK.txt. This ransom note does not contain any contact information or instructions. They just simply state "lol n".
While running, it will also add and delete a variety of registry values in order to reduce the security of the computer.
The added registry values include:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes .cmd;.exe;.bat; HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows %AppData%\[username].exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth 1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows C:\Users\User\AppData\Roaming\User.exe HKLM\SOFTWARE\Policies\Microsoft\Windows\System\EnableSmartScreen 0 HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures 0 HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags 0 HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\HVCIMATRequired 0 HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity 0 HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity 0 HKLM\SOFTWARE\Policies\Microsoft\Windows Defender HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware 1 HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring 1
Some of the changed values include:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden "0" (old value="1") HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip "0" (old value="1") HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden "0" (old value="1") HKLM\SOFTWARE\Microsoft\Security Center\cval "0" (old value="1") HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA "0" (old value="1") HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization "0" (old value="1")
When done, it will execute a batch file named +.bat that performs a cleanup of any dropped files, clears event logs, terminates the ransomware process, and removes the autorun entry.