New Ransomware AVcrypt Found To Uninstall Your Antivirus And Security Software
AVCrypt known as new ransomware with unique behavior. The ransomware found by MalwareHunterTeam and Bleeping Computer security researchers.
How it works?If the malicious script executes in the Victim Pc's, then its first work to remove your Windows Protection Services with targeting MalwareBytes and Windows Defender. Also the ransomware will delete other security services of your computer such as
MBAMService, MBAMSwissArmy, MBAMChameleon, MBAMWebProtection, MBAMFarflt, ESProtectionDriver, MBAMProtection, Schedule, WPDBusEnum, TermService, SDRSVC, RasMan, ,PcaSvc, MsMpSvc, SharedAccess, wscsvc, srservice, VSS, swprv, WerSvc, MpsSvc, WinDefend, wuauserv
If any antivirus software is registered with Windows Security center, then the malware deletes the details through command Line.
cmd.exe /C sc config "MBAMService" start= disabled & sc stop "MBAMService" & sc delete "MBAMService";
It then queries to see what AV software is registered with Windows Security Center and attempts to delete it via WMIC.
cmd.exe /C wmic product where ( Vendor like "%Emsisoft%" ) call uninstall /nointeractive & shutdown /a & shutdown /a & shutdown /a;
The above command, though, was not able to uninstall Emsisoft in this manner. It is unknown if it would work with other AV software.
Microsoft has told BleepingComputer, that they have only detected two samples of this ransomware, with of them possibly being my computer, so they feel that this infection is currently in development.
Microsoft is currently detecting it as Ransom:Win32/Pactelung.A.
Once the ransomware executes completely, then AVCrypt uploads an encryption key to a TOR website remotely. The malware scans for files to encrypt and renaming them in the process.
In each encrypted file folder, it will saved as ransom note, +HOW_TO_Unlock.txt. It does not provide any information, there is just simple Text written inside the text file is "lol n".
Security research on this ransomware is currently on the way.