Rapid 2.0 Ransomware

The Rapid 2.0 Ransomware is an encryption ransomware Trojan that is related to the Rapid Ransomware, a ransomware Trojan released in January 2018. PC security researchers observed the Rapid 2.0 Ransomware, the second version of this threat, in March of 2018, two months after the initial release. There do not seem to be any substantial differences between the Rapid 2.0 Ransomware and the first version of this threat, the Rapid Ransomware, except for the use of different Command and Control servers and email addresses associated with the people controlling the attacks. The Rapid 2.0 Ransomware's delivery method and basic mechanics of its attack are similar to most other encryption ransomware Trojans active today.

Symptoms of a Rapid 2.0 Ransomware Infection

The Rapid 2.0 Ransomware is typically delivered to victims through the use of corrupted email attachments, commonly in the form of Microsoft Word files with embedded macro scripts that download and install the Rapid 2.0 Ransomware onto the victim's computer. Once these have been installed on the victim's computer, they will use strong encryption algorithms, the AES and RSA encryptions, to make the victim's files inaccessible. The Rapid 2.0 Ransomware makes the victim's files inaccessible and takes them hostage. When the Rapid 2.0 Ransomware attack compromises the files, they become simple to recognize because the Rapid 2.0 Ransomware will add a new file extension to each affected file. The Rapid 2.0 Ransomware has several variants that have been observed by PC security researchers, which will mark files with the file extension '.JFCWF', '.GJLLW' or '.GQKYO,' as well as several other variants.

How the Rapid 2.0 Ransomware Attack Works

The Rapid 2.0 Ransomware delivers a ransom note in the form of a text file named 'DECRYPT.[5-random-chars].txt,' dropped on the infected computer's desktop after encrypting the victim's files, and taking them hostage. The text of the Rapid 2.0 Ransomware's ransom note reads:

'- ALL YOUR FILES ARE ENCRYPTED BY the Rapid 2.0 Ransomware -
Dont worry, you can return all your files!
Attention!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase a Rapid Decryptor.
This software will decrypt all your encrypted files and will delete Rapid from your PC.
To get this software you need write on our e-mail:
1. supp1decr@cock[.]li
2. supp2decr@cock[.]li (if first email unavailable)
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt him for free.
But we can decrypt only 1 file for free. File must not contain valuable information
Attention!
Dont try to use third-party decryptor tools because it will destroy your files.'

The Rapid 2.0 Ransomware and its variants will encrypt a wide variety of file types, commonly targeting the user-generated files while avoiding the Windows system files. Some of the file types targeted in ransomware attacks like the Rapid 2.0 Ransomware's include:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

The instructions in the Rapid 2.0 Ransomware's ransom note shouldn't be followed. Having file backups and a resourceful security program that is fully updated can protect your data from the Rapid 2.0 Ransomware and other encryption ransomware Trojans.

Update 3.0

The Rapid 3.0 Ransomware is a file encoder Trojan that was discovered by malware analysts in the third week of may 2018. As you may guess, the Rapid 3.0 Ransomware is the next version of the Rapid 2.0 Ransomware, which was reported in March 2018, and it was categorized as the second major release after the Rapid Ransomware, which emerged in January 2018. Computer security experts note that the team behind the latest Rapid 3.0 Ransomware is very active and appears to follow a two-month release cycle. Some experts say that it is a delayed release cycle compared to the majority of the GandCrab Ransomware and the Scarab Ransomware variants. However, you should not underestimate the Rapid 3.0 Ransomware.

The programmers behind the Trojan have been using a broad network of email accounts and carefully crafted DOCX files to infect hundreds of users. Also, the threat actors continue to compromise sites and use them to store their ‘Command and Control’ infrastructure. It is hard to track the network transmissions of the Rapid 3.0 Ransomware and find out who runs the ransomware campaign since the Trojan uses TOR relays to hide its client-server interaction. Infected users may find that the Rapid 3.0 Ransomware has deleted their Shadow Volume Copies and there are no available System Restore Points. The Rapid 3.0 Ransomware behaves like most mid-tier crypto-threats and makes sure to cripple the native data recovery features on Windows. The Rapid 3.0 Ransomware uses per-PC encryption keys and places the ‘.rapid’ extension on the encrypted files. For example, ‘Jumeirah.jpeg’ is renamed to ‘Jumeirah.jpeg.rapid’ and the Rapid 3.0 Ransomware may lock access to data stored in the following formats:

.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, doc, .epub, .docx, .fb2, .flv, .gif, .gz, .iso .ibooks, .jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2.

The ransom note is displayed on the desktop and loaded in the Microsoft`s Notepad app as ‘!!! README !!!.txt.’ We have seen the Rapid 3.0 Ransomware urge users to install the TOR Browser (h[tt]ps://www.torproject[.]org/projects/torbrowser) and access a payment portal at h[tt]p://vgon3ggilr4vu32q[.]onion/?id=btc where a decryptor is offered for sale. The Rapid malware operators offer access to a "Rapid Decryptor" in exchange for 0.07 Bitcoin (610 USD/511 EUR). We do not recommend users cooperate with the Ransomware managers as they are likely to lose their money.

The data encoded by the Rapid 3.0 Ransomware is unrecoverable unless you have the correct decryption key. Fortunately, PC users who are using online-backup services and have backup images available should not find it too hard to recover from the Rapid 3.0 Ransomware attacks. Instead of paying hundreds of dollars to the con artists, consider buying a suitable memory storage device, which you can use for backup purposes and run a trusted anti-malware engine that can delete the Rapid 3.0 Ransomware securely.