Barkly vs Malware
Barkly Research
Mar 2018

New AVCrypt Ransomware Attempts to Uninstall Antivirus Software

avcrypt-ransomware

A new ransomware has been found in the wild that attempts to uninstall antivirus software before encrypting a victim's files.

Seemingly still under development, analysis from researchers MalwareHunterTeam, Michael Gillespie, and Lawrence Abrams suggests "AVCrypt" has been designed to disable a wide range of Windows services, including Windows Update. There are also indications the malware may in fact be a wiper rather than true ransomware, since notes left behind during the infection process don't provide any usable instructions for how victims can pay to regain access to their files. 

How AVCrypt Attempts to Uninstall AV

AVCrypt-process-flow.png

AVCrypt attempts to remove AV from victims' systems in two ways. First, it attempts to delete services specifically associated with Malwarebytes and Windows Defender by issuing commands like the following:

cmd.exe /C sc config "MBAMService" start= disabled & sc stop "MBAMService" & sc delete "MBAMService";

Why it initially targets these two specific security solutions is unknown, but AVCrypt doesn't stop there. It also attempts to uninstall any other AV software that might be running on the machine, first by querying what AV is registered with Windows Security Center, then trying to uninstall it using the Windows Management Instrumentation command-line utility (WMIC). 

cmd.exe /C wmic product where ( Vendor like "%_____%" ) call uninstall /nointeractive & shutdown /a & shutdown /a & shutdown /a;

There are questions as to whether this method is effective, though. Lawrence Abrams notes that the command above failed to uninstall Emsisoft, for example. 

Still in Development or Simply Designed for Destruction?

Samples of this malware appear to be extremely limited (Microsoft reports only detecting two so far), and there are multiple indications that it may still be a work-in-progress not yet being actively distributed. 

One sign is the ransom notes created by AVCrypt, which, while titled +HOW_TO_UNLOCK.txt, only contain the message "lol n." While that could simply be a placeholder, there is also the possibility that the developers behind AVCrypt don't intend on making it functioning ransomware, but instead are merely using that as a disguise (similar to how NotPetya initially appeared to be ransomware, but was actually a wiper). 

According to analysis, however, AVCrypt does create an encryption key and upload it to a remote TOR site. That fact, combined with the presence of numerous debug messages and an alert that displays before the malware executes, makes it more likely this is in fact ransomware that simply isn't finalized. 

Other services targeted for deletion and registry changes made

In addition to uninstalling AV software, AVCrypt attempts to further reduce the security and functionality of the infected machine by deleting several other services as well as making changes to a variety of registry values.  

The following is a list of the services AVCrypt attempts to remove (note: MBAM signifies a Malwarebytes service):

MBAMService
MBAMSwissArmy 
MBAMChameleon 
MBAMWebProtection
MBAMFarflt
ESProtectionDriver
MBAMProtection
Schedule
WPDBusEnum
TermService
SDRSVC
RasMan
PcaSvc
MsMpSvc
SharedAccess
wscsvc
srservice
VSS
swprv
WerSvc
MpsSvc
WinDefend
wuauserv

As Abrams points out, the deletion of these services is likely to cause issues with Windows running properly.  

The following registry values are added:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes	.cmd;.exe;.bat;
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows	%AppData%\[username].exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth	1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows	C:\Users\User\AppData\Roaming\User.exe
HKLM\SOFTWARE\Policies\Microsoft\Windows\System\EnableSmartScreen	0
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures	0
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags	0
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\HVCIMATRequired	0
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity	0
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity	0
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware	1
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring	1

 And the following registry values are changed:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden	"0"	(old value="1")
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip	"0"	(old value="1")
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden	"0"	(old value="1")
HKLM\SOFTWARE\Microsoft\Security Center\cval	"0"	(old value="1")
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	"0"	(old value="1")
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization	"0"	(old value="1")

Meanwhile, the malware is also encrypting files it finds on the infected machine.

AVCrypt's Encryption Process 

On execution, AVCrypt remains in a temporary dormant state before eventually connecting to a C2C server (bxp44w3qwwrmuupc.onion). It then transmits the victim machine information and encryption key to the server. However, there appears to be an error in this process as it appends other contents from memory as part of the key. This is an additional indication of the malware still being in-development.

After its attempt to remove antivirus and delete the additional services outlined above AVCrypt will then scan for files to encrypt. As part of the encryption process it renames encrypted files to "+[original_name]." For example, a file called "Goat.jpg" will be renamed "+Goat.jpg."

AVCrypt-encrypted-files.png

Files encrypted by AVCrypt


The +HOW_TO_UNLOCK.txt ransom note is left behind in each encrypted folder, though, as mentioned, it doesn't actually provide victims with any usable instructions.

AVCrypt-ransom-note.png

AVCrypt ransom note


Once encryption is complete, AVCrypt performs one last trick, executing a batch file that performs the cleanup of all the dropped files, clears the event logs, terminates the malicious process, and even deletes its entry from the Autorun registry settings.

Barkly Blocks AVCrypt 

While this particular ransomware still appears to be a work in progress it may soon be a very real threat. Malware that can successfully uninstall antivirus software would obviously be major cause for concern, and knowing that ransomware authors are actively experimenting with that capability is alarming to say the least. 

Such malicious capability puts even more emphasis on blocking infections at the earliest outset, before malware even has the chance to execute. Barkly specializes in blocking the most common paths malware takes to land on victim systems, but it also offers defense in depth by blocking malicious behaviors and activity should attacks do find a way to gain initial access to a machine. 

In the case of AVCrypt, not only does Barkly block the executable by using machine-learning-powered file analysis, if we allow the file to run, Barkly also prevents it from conducting malicious activity commonly associated with ransomware. In both cases, the threat is blocked before any damage can be done. 

You can see Barkly vs. AVCrypt in action below, with the incident reported in real-time in the Barkly's CommandIQTM portal displayed on the right. 

AVCrypt-new.gif

Here's another look at the incidents reported in the portal. Admins can investigate any incidents to reveal additional details and take action immediately, even from their mobile device. 

Barkly-blocks-AVCrypt-ransomware-1.png

Worried your AV can't protect your organization from today's modern attacks? Learn more about the potential gaps you're exposed to by downloading our AV Gap Analysis. 

Barkly Research

Barkly Research

Barkly's malware research team is hard at work stopping new malware that sneaks past antivirus.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.