avcrypt - NTAPINSIGHT

Technical Breakdown:

Confirmation of File Extension: .avcrypt
Renaming Convention: Files are appended (not prepended) with the extension “.avcrypt”; source names are preserved. Example:
Q1-Financials.xlsx.avcrypt, PS D:\backups\SQL_FULL.bak.avcrypt.

First sightings: 02 April 2018 (submitted to ID-Ransomware, VirusTotal).
Peak activity: Mid-April – July 2018; sporadic re-appearances in 2019 tied to fresh mal-spam waves.
Classification: Early strain of the “Avcrypt” family (distinct from “Avaddon”/”Avest”).

Malicious spam (“Docusign-Themed” invoices): ZIP attachments containing a heavily-obfuscated .JS or .VBS dropper.
External-facing RDP: Weak or exposed 3389 brute-forced, then PSExec used to deploy payload to multiple hosts (“lateral smoke-screen”).
EternalBlue (MS17-010) + DoublePulsar: Automated spreading to un-patched Win7/Server 2008 devices once inside the perimeter.
Exploit of obsolete Java 6/7: Drive-by drop if victims visited a compromised web ad pushing the RIG EK.

Disable SMBv1 via GPO / Registry (unless legacy app critical).
Close TCP/3389 to the Internet, enforce strong RDP passwords, and require VPN + MFA for remote access.
Patch Windows share libraries (MS17-010, CVE-2018-0878) and keep Java/JRE at latest LTS.
Apply email gateway rules stripping .js / .vbs / macro-enabled Office from external mail.
Standard 3-2-1 backups (immutable, off-line, daily snaps).
EDR/AV rules: explicitly block SHA-256 e9e7…b22d and mutex Global\AVCRYPT3301 (used to inhibit re-encryption).

Disconnect: Air-gap infected machine(s) to stop lateral movement.
Kill active processes: From an offline recovery disk or Safe Mode. Look for:

AVCRYPT.exe, cmd.exe + wbadmin delete catalog, bcdedit disabling recovery.

Delete dropped files: Typically %AppData%\avcrypt.exe, %SystemRoot%\Temp\* .exe, and ransom note +HOW_TO_UNLOCK.txt|.html in every folder.
Revert shadow-copy deletion: Run vssadmin resize shadowstorage, then vssadmin list shadows to verify restoration points still exist after containment.

Status: Avcrypt used an RC4 stream cipher for a short period before switching to AES-256; the RC4 keys were left in memory and quickly extracted.
Public decryption available: Yes, since 18 April 2018 from ESET (avcrypt_decryptor.exe). Requirements:
A pair of original + encrypted files ≥ 120 KB each (for key reconstruction).
Do NOT run if you re-imaged the PC—extract files via external USB or Linux live distro.
Online key? RC4 only; AES variant uses randomly-generated key over HTTPS to C2 and is non-recoverable—no free tool exists for AES-locked data; must restore from backups.

Essential Tools / Patches for remediation:

ESET Avcrypt Decryptor v1.3 – https://support.eset.com/en/kb3658
Microsoft KB4012598 SMBv1 patch (for XP/2003).
Kaspersky TDSSKiller & Malwarebytes as disinfectors to clear any secondary loaders.

“Self-whitelisting” trick: Avcrypt includes hard-coded SHA-1 of Microsoft Defender signatures to disable it (MpSigStub.exe) and then whitelists its own mutex, reducing the likelihood of overlapping encryption cycles; this makes traditional signature-based AV blind in the first 60–90 seconds post-execution.
Wider Implications: Initial release came on the heels of a manually-distributed “removal tool” claiming to clean WannaCry but actually pushing Avcrypt—a classic “fake-cleaner” attack. This social-engineered source helped spread the family before security vendors could effectively block the new hash.