AVCrypt Ransomware

The AVCrypt Ransomware is an encryption ransomware Trojan that was first observed in March 2018. The AVCrypt Ransomware is being delivered to victims of this attack via corrupted spam email attachments, typically taking the form of DOCX files with corrupted embedded macro scripts. The AVCrypt Ransomware will run as 'av2018.exe' and carry out a typical encryption ransomware attack once installed on a computer.

How the AVCrypt Ransomware Attack Works

Threat attacks like the AVCrypt Ransomware carry out a typical attack that involves taking the victim's files hostage and then demanding the payment of a ransom to restore the affected files. This is a predictable attack method used by many encryption ransomware Trojans. In the case of these threats, a strong encryption algorithm is used to make the victim's files inaccessible, and the victim is asked to pay for a ransom in exchange for the decryption key, which is crucial to restoring access to the affected files. The AVCrypt Ransomware connects to its Command and Control servers using the TOR client, which is used to access the Deep Web and establish communications anonymously. There is no way for the people controlling the AVCrypt Ransomware to deliver a decryption method to the victim so that the files encrypted by the AVCrypt Ransomware attack are lost permanently. The AVCrypt Ransomware has been observed to encrypt numerous file types generated by the user in its attack, which may include video, audio, images, and numerous document types. A few examples of the files that may be encrypted by attacks like the AVCrypt Ransomware are:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zi.

Once the AVCrypt Ransomware encrypts a file, it can be identified easily because the AVCrypt Ransomware will add the prefix '+' to each of the affected files' names. The AVCrypt Ransomware will disable several Windows services in its attack, including the following:

MpsSvc; MsMpSvc; PcaSvc; RasMan; SDRSVC; Schedule; SharedAccess; TermService; VSS; WPDBusEnum; WerSvc; WinDefend; srservice; swprv; wscsvc; wuausev

The AVCrypt Ransomware’s Ransom Demands

The AVCrypt Ransomware will deliver a ransom note in the form of a text file after encrypting the victim's files. In every folder where the AVCrypt Ransomware has encrypted content, a text file named '+HOW_TO_UNLOCK.txt' is dropped. This file does not contain any text. In most ransomware Trojans, these files will contain a message demanding that the victim pays a ransom. Because the AVCrypt Ransomware does not deliver a ransom note, and because the cybercrooks have no way of providing a decryption key to the victim, it is likely that the AVCrypt Ransomware is in an unfinished state or still under development. However, PC security researchers have determined that the AVCrypt Ransomware is still capable of taking the victims' files hostage and causing the victims to lose their files permanently.

Protecting Your Data from Threats Like the AVCrypt Ransomware

If the AVCrypt Ransomware or a similar attack has compromised your data, PC security researchers strongly advise using a reliable security program to remove the AVCrypt Ransomware and other threats. The files encrypted by the attack cannot be decrypted. Because of this, it is important to have file backups that can be used in the case of a threat attack.