A new type of ransomware which tries to uninstall security software on victim PCs has been discovered in the wild.
According to an analysis of the malware, AVCrypt will attempt to not only remove existing antivirus products before encrypting a compromised computer but will also delete a selection of Windows services.
Researchers Lawrence Abrams and Michael Gillespie say that the ransomware “attempts to uninstall software in a way that we have not seen before,” which marks the malware as unusual.
The true purpose of the malware — which appears to be ransomware due to its capabilities — is also in question, as some elements appear unfinished. There are elements of encryption, but no true ransom note, and together with AVCrypt’s process deleting, it is possible the malware may also be utilized as a wiper.
It is not yet known how AVCrypt targets victims. However, when the malicious code executes on a victim’s PC, the malware will first attempt to remove security software by targeting Windows Defender and Malwarebytes, or by specifically querying for other antivirus software before attempting to uninstall the programs.
In order to eradicate AV products, the ransomware deletes Windows services which are required for the protective services to run properly, including MBAMProtection, Schedule, TermService, WPDBusEnum, WinDefend, and MBAMWebProtection.
The malware then checks to see if any antivirus software is registered with the Windows Security Center and deletes these details through the command line.
During tests, however, the researchers say that the malware was unable to delete Emisoft antivirus software through these techniques.
Whether or not the deletion of Windows services to hamper AV protections would work with other solutions is unknown.
The wiper features do not completely destroy Windows builds, but likely will cause service degradation.
Once this stage is complete, AVCrypt then uploads an encryption key to a TOR location together with system information and timezone. The malware then scans for files to encrypt, renaming them in the process.
The ransom note, saved as “+HOW_TO_UNLOCK.txt,” does not contain any decryption instructions or contact information; instead, there is what appears to be placeholder “lol n” text.
It appears that the ransomware is in development stages, and while there is a tenuous link between AVCrypt and a recent attack on a Japanese university, it is not known whether the malware was responsible.
Microsoft told the publication that only two samples of this malware have been detected and so the company also believes that AVCrypt is not yet complete.
“This ransomware is quite destructive to an infected computer, yet at the same time does appear to upload the encryption key to a remote server,” the researchers say. “Therefore, it is not known whether this is a true ransomware or a wiper disguised as one.”