FANDOM


AVCrypt is a ransomware that was discovered by Lawrence Abrams and Michael Gillespie.

Payload

Transmission

AVCrypt is distributed by spam emails, peer-to-peer [P2P] networks, third party software download sources, fake software update tools, and trojans.

Infection

When AVCrypt is executed, it will sit idle for a brief period, extract an embedded TOR client, and connect to the bxp44w3qwwrmuupc.onion command & control server where it will transmit the encryption key, timezone, and Windows version of the victim. There appears to be an error in this transmission, as it appends other content from memory as part of the key.

AVCrypt will then attempt to remove installed security software from the victim's computer. It does this in two ways; by specifically targeting Windows Defender and Malwarebytes and by querying for installed AV software and then attempting to remove them.

AVCrypt will then delete Windows services required for the proper operation of Malwarebytes and Windows Defender. AVCrypt Deletes the following formats:

MBAMService
MBAMSwissArmy 
MBAMChameleon 
MBAMWebProtection
MBAMFarflt
ESProtectionDriver
MBAMProtection
Schedule
WPDBusEnum
TermService
SDRSVC
RasMan
PcaSvc
MsMpSvc
SharedAccess
wscsvc
srservice
VSS
swprv
WerSvc
MpsSvc
WinDefend
wuauserv

It does this using a command like the following format:

cmd.exe /C sc config "MBAMService" start= disabled & sc stop "MBAMService" & sc 
delete "MBAMService";

It then queries to see what AV software is registered with Windows Security Center and attempts to delete it via WMIC.

cmd.exe /C wmic product where ( Vendor like "%Emsisoft%" ) call uninstall 
/nointeractive & shutdown /a & shutdown /a & shutdown /a;

The above command, though, was not able to uninstall Emsisoft in this manner. It is unknown if it would work with other AV software.

While Windows will continue to function after these services are deleted, there will likely be issues in the proper operation of Windows. 

It will then scan for files to encrypt, and when it encrypts a file, will rename it to the +[original_name]. For example, a file called test.jpg would be encrypted and then renamed to +test.jpg. In each folder that a file is encrypted, it will also create a ransom note named +HOW_TO_UNLOCK.txt. This ransom note does not contain any contact information or instructions. They just simply state "lol n".

While running, it will also add and delete a variety of registry values in order to reduce the security of the computer.

The added registry values include:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes	.cmd;.exe;.bat;
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows	%AppData%\[username].exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth	1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows	C:\Users\User\AppData\Roaming\User.exe
HKLM\SOFTWARE\Policies\Microsoft\Windows\System\EnableSmartScreen	0
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures	0
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags	0
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\HVCIMATRequired	0
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity	0
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity	0
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware	1
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring	1

Some of the changed values include:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden	"0"	(old value="1")
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip	"0"	(old value="1")
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden	"0"	(old value="1")
HKLM\SOFTWARE\Microsoft\Security Center\cval	"0"	(old value="1")
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	"0"	(old value="1")
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization	"0"	(old value="1")

When done, it will execute a batch file named +.bat that performs a cleanup of any dropped files, clears event logs, terminates the ransomware process, and removes the autorun entry.

Community content is available under CC-BY-SA unless otherwise noted.