{
	"id": "19dfeab8-26bc-4d93-85cb-e0229d0030da",
	"created_at": "2026-04-06T00:21:45.790295Z",
	"updated_at": "2026-04-10T03:23:51.947979Z",
	"deleted_at": null,
	"sha1_hash": "fb8ee731767e7211f39d6ea79fb6d0326439fc19",
	"title": "The AVCrypt Ransomware Tries To Uninstall Your AV Software",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 772624,
	"plain_text": "The AVCrypt Ransomware Tries To Uninstall Your AV Software\r\nBy Lawrence Abrams\r\nPublished: 2018-03-23 · Archived: 2026-04-05 20:03:34 UTC\r\nA new ransomware named AVCrypt has been discovered that tries to uninstall existing security software before it encrypts a\r\ncomputer.  Furthermore, as it removes numerous services, including Windows Update, and provides no contact information,\r\nthis ransomware may be a wiper.\r\nAfter analysis by MalwareHunterTeam, who discovered the ransomware, myself, and Michael Gillespie, it was decided to\r\nname this ransomware AVCrypt as the sample file names are av2018.exe. The developer, though, may be naming it LOL\r\nbased on some of the debug messages found in the ransomware samples.\r\nDebug Messages\r\nRegardless of what it is called, this infection attempts to uninstall software in a way that we have not seen before. These\r\nfeatures are outlined in the sections below.\r\nAVCrypt tries to uninstall your security software\r\nAs already stated, when AVCrypt runs it will attempt to remove installed security software from the victim's computer. It\r\ndoes this in two ways; by specifically targeting Windows Defender and Malwarebytes and by querying for installed AV\r\nsoftware and then attempting to remove them.\r\nhttps://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nFirst AVCrypt will delete Windows services required for the proper operation of Malwarebytes and Windows Defender. It\r\ndoes this using a command like the following format:\r\ncmd.exe /C sc config \"MBAMService\" start= disabled \u0026 sc stop \"MBAMService\" \u0026 sc delete \"MBAMService\";\r\nIt then queries to see what AV software is registered with Windows Security Center and attempts to delete it via WMIC.\r\ncmd.exe /C wmic product where ( Vendor like \"%Emsisoft%\" ) call uninstall /nointeractive \u0026 shutdown /a \u0026 shutdown /a \u0026 sh\r\nThe above command, though, was not able to uninstall Emsisoft in this manner. It is unknown if it would work with other\r\nAV software.\r\nWiper or In-dev Ransomware?\r\nAt this point, it is not clear whether AVCrypt is an in development ransomware or a wiper as there are characteristics that\r\ncan lead to either categorization.\r\nOn the wiper side, this ransomware attempts to delete a variety of Windows services when started. These services are:\r\nMBAMService\r\nMBAMSwissArmy\r\nMBAMChameleon\r\nMBAMWebProtection\r\nMBAMFarflt\r\nESProtectionDriver\r\nMBAMProtection\r\nSchedule\r\nWPDBusEnum\r\nTermService\r\nSDRSVC\r\nRasMan\r\nPcaSvc\r\nMsMpSvc\r\nSharedAccess\r\nwscsvc\r\nsrservice\r\nVSS\r\nswprv\r\nWerSvc\r\nMpsSvc\r\nWinDefend\r\nwuauserv\r\nWhile Windows will continue to function after these services are deleted, there will likely be issues in the proper operation\r\nof Windows.\r\nFurthermore, the ransom notes created by the ransomware do not provide any contact information. They just simply\r\nstate \"lol n\".\r\nhttps://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/\r\nPage 3 of 7\n\nAt the same time, this infection does upload the encryption key to a remote TOR site and the contents of the note could\r\nsimply be a placeholder. Furthermore, when executing the ransomware it displays a alert before it starts and there are\r\nnumerous debug messages, so it could very well be just an in development ransomware.\r\nMicrosoft has told BleepingComputer that they have only detected two samples of this ransomware, with of them possibly\r\nbeing my computer, so they feel that this infection is currently in development. Microsoft is currently detecting it\r\nas Ransom:Win32/Pactelung.A.\r\nAlready in the wild or just a coincidence?\r\nWhile I am leaning towards this being an in development ransomware, a security researcher posted on Twitter that\r\ncomputers at a Japanese university were recently infected by a ransomware that also uninstalled antivirus software.\r\nBleepingComputer has reached out to the email address listed in the email, but has not heard back at the time of publication.\r\nAVCrypt Encryption Process\r\nWhen AVCrypt is executed it will sit idle for a brief period, extract an embedded TOR client, and connect to\r\nthe bxp44w3qwwrmuupc.onion command \u0026 control server where it will transmit the encryption key, timezone, and\r\nWindows version of the victim. There appears to be an error in this transmission, as it appends other content from memory\r\nas part of the key.\r\nIt will then attempt to remove various security programs as described in the previous sections. It will then scan for files to\r\nencrypt, and when it encrypts a file, will rename it to the +[original_name]. For example, a file called test.jpg would be\r\nencrypted and then renamed to +test.jpg.\r\nhttps://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/\r\nPage 4 of 7\n\nEncrypted Files\r\nIn each folder that a file is encrypted, it will also create a ransom note named +HOW_TO_UNLOCK.txt. This ransom note\r\ndoes not contain any contact information or instructions as shown below.\r\nAVCrypt Ransom Note\r\nWhile running it will also add and delete a variety of registry values in order to reduce the security of the computer.\r\nThe added registry values include:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations\\LowRiskFileTypes .cmd;.exe;.bat;\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows %AppData%\\[username].exe\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAHealth 1\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\Windows C:\\Users\\User\\AppData\\Roaming\\User.exe\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\EnableSmartScreen 0\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures 0\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags 0\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\HVCIMATRequired 0\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\HypervisorEnforcedCodeIntegrity 0\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity 0\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware 1\r\nhttps://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/\r\nPage 5 of 7\n\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring 1\r\nSome of the changed values include:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden \"0\" (old value=\"1\")\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip \"0\" (old value=\"1\")\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden \"0\" (old value=\"1\")\r\nHKLM\\SOFTWARE\\Microsoft\\Security Center\\cval \"0\" (old value=\"1\")\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA \"0\" (old value=\"1\")\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableVirtualization \"0\" (old value=\"1\")\r\nWhen done, it will execute a batch file named +.bat that performs a cleanup of any dropped files, clears event logs,\r\nterminates the ransomware process, and removes the autorun entry.\r\nContents of Batch File\r\nAs you can see, this ransomware is quite destructive to an infected computer, yet at the same time does appear to upload the\r\nencryption key to a remote server. Therefore, it is not known whether this is a true ransomware or a wiper disguised as one.\r\nIOCs\r\nHashes:\r\na64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f\r\n58c7c883785ad27434ca8c9fc20b02885c9c24e884d7f6f1c0cc2908a3e111f2\r\nNetwork Connections:\r\nbxp44w3qwwrmuupc.onion\r\nAssociated Files:\r\n+HOW_TO_UNLOCK.txt\r\n%AppData%\\[username].exe\r\n%Temp%\\libeay32.dll\r\nhttps://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/\r\nPage 6 of 7\n\n%Temp%\\libevent-2-0-5.dll\r\n%Temp%\\libevent_core-2-0-5.dll\r\n%Temp%\\libevent_extra-2-0-5.dll\r\n%Temp%\\libgcc_s_sjlj-1.dll\r\n%Temp%\\libgmp-10.dll\r\n%Temp%\\libssp-0.dll\r\n%Temp%\\ssleay32.dll\r\n%Temp%\\t.bmp\r\n%Temp%\\t.zip\r\n%Temp%\\tor.exe\r\n%Temp%\\zlib1.dll\r\nRansom Note Text:\r\nlol n\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/\r\nhttps://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/"
	],
	"report_names": [
		"the-avcrypt-ransomware-tries-to-uninstall-your-av-software"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434905,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fb8ee731767e7211f39d6ea79fb6d0326439fc19.pdf",
		"text": "https://archive.orkl.eu/fb8ee731767e7211f39d6ea79fb6d0326439fc19.txt",
		"img": "https://archive.orkl.eu/fb8ee731767e7211f39d6ea79fb6d0326439fc19.jpg"
	}
}