You might have let Avcrypt Ransomware in by opening a corrupted spam email attachment. The infection could have slithered into your operating system via a malicious software bundle as well. Other methods of distribution exist as well, which is why it is hard to say how exactly the threat could invade your computer. Unfortunately, not all users realize that the infection has entered because it is silent. If it was not, its chances of encrypting files successfully would be minimized. If it encrypts the files successfully, the + symbol is added to the name; for example, a file named “picture.jpg” is presented as “+picture.jpg” after the encryption. These files cannot be decrypted manually, and it does not look like the creators of the infection could provide victims with the decryptor either. This strangest thing about this ransomware is that its creators are not asking for a ransom like B2dr Ransomware, Xorist-XWZ Ransomware, BlackRuby-2 Ransomware, and other previously reported infections that, of course, require removal. You must delete Avcrypt Ransomware as well, and that is what we discuss in this report.
When Avcrypt Ransomware invades the operating system, it takes quite a few steps before the actual encryption of files begins. First, the infection creates a copy of its launcher under %APPDATA%. The name of the file is unique, but it should not be hard to find it because it should contain your username or the name of the infected computer. A point of execution supports this file in the Windows Registry (look up a value named “Windows” under HKCU\Software\Microsoft\Windows\CurrentVersion\Run). The infection also tries to find and uninstall active antivirus software. The researchers in our internal lab have found that Avcrypt Ransomware does not succeed in every case, but it could uninstall antivirus software using this command: cmd.exe /C wmic product where [AV VENDOR] call uninstall /nointeractive & shutdown /a & shutdown /a & shutdown /a;. Avcrypt Ransomware also removes 16 Windows services, including “Schedule,” “SharedAccess”, “WinDefend”, and “wscsvc.” After all of this, the infection connects to a C&C server (bxp44w3qwwrmuupc.onion) to transmit the encryption key and other information.
When the encryption is complete, the malicious Avcrypt Ransomware drops a file that should represent the ransom demands. It is called “+HOW_TO_UNLOCK.txt,” and the message inside it reads “lol n.” As mentioned before, the infection does not make any demands, which is why it can be classified as a data wiper as well. Of course, it is also possible that this ransomware is still in development, and that it will be updated in the future to make demands for a ransom, which is usually what cyber criminals want in return of a file decryptor. Needless to say, even if the demands were made, paying attention to them is not recommended because you do not want to be trapped by cyber criminals who are willing to do anything just to get your money. In this situation, the only thing you can do is remove Avcrypt Ransomware along with all malicious components. Once you get rid of the infection, you will need to figure out what you want to do about the encrypted files. If backups exist, you should delete the files without any hesitation.
It is possible that you do not need to worry about the removal of Avcrypt Ransomware because this threat might have erased itself automatically after it corrupted your files. Of course, you want to check if the malicious components exist because you do not want to leave anything malicious behind. You can find a rough guide that shows the elements that belong to the malicious ransomware below. If you cannot eliminate the threat manually, you want to install a trustworthy anti-malware program to clean the system for you automatically. You also need to keep your system’s security in mind, and if you are not sure you can keep your system safe in the future, installing anti-malware software can be very beneficial. Unfortunately, Avcrypt Ransomware is not the only file-encrypting threat that exists, and new, more powerful infections emerge every single day. This is why you need to take an extra step to keep your personal files protected. We recommend using a reliable backup system to store copies of your files.
# | File Name | File Size (Bytes) | File Hash |
---|---|---|---|
1 | +HOW_TO_UNLOCK.txt | 5 bytes | MD5: 2346fe9aece96ed19d6403c9f95ad90a |
2 | AVCrypt.exe | 3052032 bytes | MD5: bd20d8afabe658816d06301b8f367c7e |
# | Process Name | Process Filename | Main module size |
---|---|---|---|
1 | AVCrypt.exe | AVCrypt.exe | 3052032 bytes |