A new ransomware has been found in the wild that attempts to uninstall antivirus software before encrypting a victim's files.
Seemingly still under development, analysis from researchers MalwareHunterTeam, Michael Gillespie, and Lawrence Abrams suggests "AVCrypt" has been designed to disable a wide range of Windows services, including Windows Update. There are also indications the malware may in fact be a wiper rather than true ransomware, since notes left behind during the infection process don't provide any usable instructions for how victims can pay to regain access to their files.
AVCrypt attempts to remove AV from victims' systems in two ways. First, it attempts to delete services specifically associated with Malwarebytes and Windows Defender by issuing commands like the following:
cmd.exe /C sc config "MBAMService" start= disabled & sc stop "MBAMService" & sc delete "MBAMService";
Why it initially targets these two specific security solutions is unknown, but AVCrypt doesn't stop there. It also attempts to uninstall any other AV software that might be running on the machine, first by querying what AV is registered with Windows Security Center, then trying to uninstall it using the Windows Management Instrumentation command-line utility (WMIC).
cmd.exe /C wmic product where ( Vendor like "%_____%" ) call uninstall /nointeractive & shutdown /a & shutdown /a & shutdown /a;
There are questions as to whether this method is effective, though. Lawrence Abrams notes that the command above failed to uninstall Emsisoft, for example.
Samples of this malware appear to be extremely limited (Microsoft reports only detecting two so far), and there are multiple indications that it may still be a work-in-progress not yet being actively distributed.
One sign is the ransom notes created by AVCrypt, which, while titled +HOW_TO_UNLOCK.txt, only contain the message "lol n." While that could simply be a placeholder, there is also the possibility that the developers behind AVCrypt don't intend on making it functioning ransomware, but instead are merely using that as a disguise (similar to how NotPetya initially appeared to be ransomware, but was actually a wiper).
According to analysis, however, AVCrypt does create an encryption key and upload it to a remote TOR site. That fact, combined with the presence of numerous debug messages and an alert that displays before the malware executes, makes it more likely this is in fact ransomware that simply isn't finalized.
In addition to uninstalling AV software, AVCrypt attempts to further reduce the security and functionality of the infected machine by deleting several other services as well as making changes to a variety of registry values.
The following is a list of the services AVCrypt attempts to remove (note: MBAM signifies a Malwarebytes service):
MBAMService MBAMSwissArmy MBAMChameleon MBAMWebProtection MBAMFarflt ESProtectionDriver MBAMProtection Schedule WPDBusEnum TermService SDRSVC RasMan PcaSvc MsMpSvc SharedAccess wscsvc srservice VSS swprv WerSvc MpsSvc WinDefend wuauserv
As Abrams points out, the deletion of these services is likely to cause issues with Windows running properly.
The following registry values are added:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes .cmd;.exe;.bat; HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows %AppData%\[username].exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth 1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows C:\Users\User\AppData\Roaming\User.exe HKLM\SOFTWARE\Policies\Microsoft\Windows\System\EnableSmartScreen 0 HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures 0 HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags 0 HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\HVCIMATRequired 0 HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity 0 HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity 0 HKLM\SOFTWARE\Policies\Microsoft\Windows Defender HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware 1 HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring 1
And the following registry values are changed:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden "0" (old value="1") HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip "0" (old value="1") HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden "0" (old value="1") HKLM\SOFTWARE\Microsoft\Security Center\cval "0" (old value="1") HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA "0" (old value="1") HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization "0" (old value="1")
Meanwhile, the malware is also encrypting files it finds on the infected machine.
On execution, AVCrypt remains in a temporary dormant state before eventually connecting to a C2C server (bxp44w3qwwrmuupc.onion). It then transmits the victim machine information and encryption key to the server. However, there appears to be an error in this process as it appends other contents from memory as part of the key. This is an additional indication of the malware still being in-development.
After its attempt to remove antivirus and delete the additional services outlined above AVCrypt will then scan for files to encrypt. As part of the encryption process it renames encrypted files to "+[original_name]." For example, a file called "Goat.jpg" will be renamed "+Goat.jpg."
Files encrypted by AVCrypt
The +HOW_TO_UNLOCK.txt ransom note is left behind in each encrypted folder, though, as mentioned, it doesn't actually provide victims with any usable instructions.
AVCrypt ransom note
Once encryption is complete, AVCrypt performs one last trick, executing a batch file that performs the cleanup of all the dropped files, clears the event logs, terminates the malicious process, and even deletes its entry from the Autorun registry settings.
While this particular ransomware still appears to be a work in progress it may soon be a very real threat. Malware that can successfully uninstall antivirus software would obviously be major cause for concern, and knowing that ransomware authors are actively experimenting with that capability is alarming to say the least.
Such malicious capability puts even more emphasis on blocking infections at the earliest outset, before malware even has the chance to execute. Barkly specializes in blocking the most common paths malware takes to land on victim systems, but it also offers defense in depth by blocking malicious behaviors and activity should attacks do find a way to gain initial access to a machine.
In the case of AVCrypt, not only does Barkly block the executable by using machine-learning-powered file analysis, if we allow the file to run, Barkly also prevents it from conducting malicious activity commonly associated with ransomware. In both cases, the threat is blocked before any damage can be done.
You can see Barkly vs. AVCrypt in action below, with the incident reported in real-time in the Barkly's CommandIQTM portal displayed on the right.
Here's another look at the incidents reported in the portal. Admins can investigate any incidents to reveal additional details and take action immediately, even from their mobile device.
Worried your AV can't protect your organization from today's modern attacks? Learn more about the potential gaps you're exposed to by downloading our AV Gap Analysis.
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends straight to your inbox.