Rapid Ransomware

Threat Scorecard

Ranking: 14,252
Threat Level: 100 % (High)
Infected Computers: 4,237
First Seen: January 15, 2018
Last Seen: October 24, 2022
OS(es) Affected: Windows

The Rapid Ransomware is an encryption ransomware Trojan that was first observed on January 2, 2018. There is very little to differentiate the Rapid Ransomware from the numerous encryption ransomware Trojans that are active currently. Like many other ransomware Trojans that are being uncovered constantly, the Rapid Ransomware will encrypt victims' files using a strong encryption algorithm and then demand a ransom payment from the victim in exchange for the decryption key that is necessary to recover the affected files.

Rapid Ransomware Uses Social Engineering

The most common way of delivering the Rapid Ransomware and similar threats is through corrupted Microsoft Word documents that include embedded macro scripts that download and install the Rapid Ransomware onto the victim's computer. Spam email messages used to deliver these documents are designed to use social engineering tactics that convince the victim that the attachment is legitimate and the email message comes from a trusted source such as Facebook or Amazon. In Rapid Ransomware's case, the emails were designed to impersonate the Internal Revenue Service (IRS), the USA tax collection agency, despite the malware targeting users in multiple countries across the world. The emails try to scare the user by having a subject similar to "Please Note – IRS Urgent Message" and making absurd claims such as the victim having only a day to contact a tax manager otherwise they might have to pay fines. When the user opens the corrupted word file, the macro script downloads and installs the Rapid Ransomware onto the victim's computer.

How the Rapid Ransomware Carries out Its Attack

Once the Rapid Ransomware has been installed onto the victim's computer, it takes several steps before it starts encrypting data. First, the malware creates two files - info.exe and recovery.txt, located in %UserProfile%\Application Data\ folder. Rapid Ransomware then achieves persistence, meaning that it will be executed on every system startup by creating the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Encrypter_074" = "%UserProfile%\Application Data\info.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"userinfo" = "%UserProfile%\Application Data\recovery.txt
The malware also has the functionality to disable the default Windows recovery options by deleting the volume shadow copies and system backup through the commands
vssadmin.exe Delete Shadow /All /Quiet
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures

Rapid Ransomware is not done, though, and it then proceeds to shut down numerous processes including those of several anti-malware products such as AVP.EXE, avengine.exe, avgnt.exe, ekrn.exe, Mcshield.exe, ashDisp.exe, NortonAntiBot.exe, cmdagent.exe, pccpfw.exe, smc.exe, msmpeng.exe, persfw.exe, fsguiexe.exe, cfp.exe. The victim's files will then be encrypted using the AES and RSA encryption algorithms in all folders except the ones that are necessary for the normal functioning of the Windows OS - %Windir%, %ProgramFiles%, %ProgramData%.

The Rapid Ransomware establishes a connection with its Command and Control server to receive and relay information and ensure that the decryption keys are out of reach from the victim or PC security analysts. The strong encryption makes the user-generated files on the victim's computer inaccessible. These user-generated files may include files such as images, spreadsheets, texts, videos, and a wide variety of other files. Examples of the files that threats like the Rapid Ransomware may target in their attacks include:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

Even after the files have been encrypted, Rapid Ransomware continues to lurk and will pounce on any newly created file by using the command "%System%\schtasks.exe /create /SC /MINUTE /TN Encrypter /TR %UserProfile%\Application Data\info.exe."

The Rapid Ransomware's Ransom Note

After the Rapid Ransomware encrypts the victim's files, the Rapid Ransomware marks them with the files extension '.rapid,' which is added to the end of each affected file's name. The Rapid Ransomware delivers its ransom note in the form of a text file named either '!!! README !!!.txt' or 'How Recovery Files.txt' dropped in every folder containing encrypted files The Rapid Ransomware ransom file consists of the following text:

All your files have been encrypted by us
If you want restore files write on e-mail – jpcrypt@rape.lol'

Dealing with a Rapid Ransomware Infection

PC security researchers advise computer users to refrain from communicating with the perpetrators of the Rapid Ransomware. They also should avoid paying the ransom, which ranges from $500 to 1500 USD. Instead, the files affected by the Rapid Ransomware attack should be replaced with backup copies. A security program that is fully up-to-date can be used to remove the Rapid Ransomware infection itself and prevent attacks from threats like the Rapid Ransomware from being carried out onto the victim's computer. Since the Rapid Ransomware spreads using spam emails, it is also important to take steps to mitigate any harm that may be caused by these messages.

Rapid 2.0 Ransomware

The Rapid 2.0 Ransomware version was detected roughly two months after the initial release of the malware threat, and it deviates very little from it. It uses several different extensions for the encrypted files - '.JFCWF', '.GJLLW' or '.GQKYO,' among others, and delivers a ransom note in a text file named "DECRYPT.[5-random-chars].txt." The text of the ransom note is:

'-ALL YOUR FILES ARE ENCRYPTED BY the Rapid 2.0 Ransomware -
Dont worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase a Rapid Decryptor.
This software will decrypt all your encrypted files and will delete Rapid from your PC.
To get this software you need write on our e-mail:

1. supp1decr@cock[.]li
2. supp2decr@cock[.]li (if first email unavailable)
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt him for free.
But we can decrypt only 1 file for free. File must not contain valuable information
Dont try to use third-party decryptor tools because it will destroy your files.'

Rapid 3.0 Ransomware

The Rapid 3.0 Ransomware is a file encoder Trojan that was discovered by malware analysts in the third week of May 2018. As you may guess, the Rapid 3.0 Ransomware is the next version of the Rapid 2.0 Ransomware, which was reported in March 2018, and it was categorized as the second major release after the Rapid Ransomware, which emerged in January 2018. Computer security experts note that the team behind the latest Rapid 3.0 Ransomware is very active and appears to follow a two-month release cycle. Some experts say that it is a delayed-release cycle compared to the majority of the GandCrab Ransomware and the Scarab Ransomware variants. However, you should not underestimate the Rapid 3.0 Ransomware.

The programmers behind the Trojan have been using a broad network of email accounts and carefully crafted DOCX files to infect hundreds of users. Also, the threat actors continue to compromise sites and use them to store their ‘Command and Control’ infrastructure. It is hard to track the network transmissions of the Rapid 3.0 Ransomware and find out who runs the ransomware campaign since the Trojan uses TOR relays to hide its client-server interaction. Infected users may find that the Rapid 3.0 Ransomware has deleted their Shadow Volume Copies and there are no available System Restore Points. The Rapid 3.0 Ransomware behaves like most mid-tier crypto-threats and makes sure to cripple the native data recovery features on Windows. The Rapid 3.0 Ransomware uses per-PC encryption keys and has been observed to place either .rapid, .ezymn, or .[5-random-characters] as file extensions. For example, 'Jumeirah.jpeg' is renamed to 'Jumeirah.jpeg.rapid' and the Rapid 3.0 Ransomware may lock access to data stored in the following formats:

.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, doc, .epub, .docx, .fb2, .flv, .gif, .gz, .iso .ibooks, .jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2.

The ransom note is displayed on the desktop and loaded in Microsoft's Notepad app as '!!! README !!!.txt.' We have seen the Rapid 3.0 Ransomware urge users to install the TOR Browser (h[tt]ps://www.torproject[.]org/projects/torbrowser) and access a payment portal at h[tt]p://vgon3ggilr4vu32q[.]onion/?id=btc where a decryptor is offered for sale. The Rapid malware operators offer access to a "Rapid Decryptor" in exchange for 0.07 Bitcoin (610 USD/511 EUR). We do not recommend users cooperate with the Ransomware managers as they are likely to lose their money.

The data encoded by the Rapid 3.0 Ransomware is unrecoverable unless you have the correct decryption key. Fortunately, PC users who are using online-backup services and have backup images available should not find it too hard to recover from the Rapid 3.0 Ransomware attacks. Instead of paying hundreds of dollars to the con artists, consider buying a suitable memory storage device, which you can use for backup purposes and run a trusted anti-malware engine that can delete the Rapid 3.0 Ransomware securely.

RPD Ransomware

The RPD Ransomware differentiates itself from the rest of the Rapid Ransomware variants by employing '.RPD' as a file extension and using new email addresses for contact - anonimus852@tutanota.com, anonimus852@cock.li, and asgard2018@cock.li. The ransom note for this malware is:

'Hello, dear friend!
All your files have been ENCRYPTED
Do you really want to restore your files?
Write to our email - asgard2018@cock.li
and tell us your unique ID – '
No_More_Ransom Ransomware

Initially, the ".no_more_ransom" extension was first seen as part of the activity of the infamous Shade Ransomware, but the creators of Rapid Ransomware have decided to appropriate it for their own. The ".no_more_ransom" version uses the same file name for its ransom note - DECRYPT.[5-random-characters].txt, but the text inside is different:

All your files have been ENCRYPTED
1. You write to us with your ID.
2. You buy Bitcoin or other cryptocurrency.
3. Pay us on the wallet.
4. Get the decryptor for all your files.
Before payment you can send us 1 test file.
You'll see that we can do it.
Where to buy bitcoin:
and tell us your unique ID'

'.guesswho File Extension' Ransomware

'.guesswho File Extension' Ransomware is one of the latest ransomware threats to be associated with Rapid Ransomware. It operates in a similar fashion but uses the '.guesswho' extension for the files it has encrypted. The text of the ransom note was once again changed, and this time it reads:

'Hello, dear friend!
All your files have been ENCRYPTED
Do you really want to restore your files?
Write to our email - youfile@protonmail.com
and tell us your unique ID - ID-'

Registry Details

Rapid Ransomware creates the following registry entry or registry entries:
Regexp file mask

1 Comment

Friday night we were with with the "rapid" ransomware. A note was left on the screen which directed us to send the "unique id" number to one of the following two email addresses:
> codermvare@cock.li
> rapidka@cock.li
The attack encrypted our client information and our backups.

Can you assist in removing this?


Related Posts


Most Viewed