Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rapid Ransomware (.rapid, .paymeme - ! How Recovery Files.txt) Support Topic


  • Please log in to reply
81 replies to this topic

#1 artazil

artazil

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 02 January 2018 - 04:03 PM

Good afternoon,
 
A server I support was hit with a crypto variant that I can't find anything on. The ID Ransomware site says it's BTCWare Payday, but I can't find any variants that look anything like this.
It creates a file named "! How Decrypt Files.txt" in ALL affected folders, and its contents are as follows:
 
Hello!
All your files have been encrypted by us
If you want restore files write on e-mail - jpcrypt@rape.lol

 
Encrypted files have a .rapid suffix, which is something else I couldn't find anywhere.
BitDefender's BTCWare Payday decryptor failed.
 
Help would be most appreciated. Thank you!

BC AdBot (Login to Remove)

 


#2 willholt

willholt

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 02 January 2018 - 04:44 PM

A server I look after got hit with this too - must be very new as couldn't find any info on it.

Have tried most of the free Decryptors that work for non extension locked variants but no luck yet.

Will definitely post back if I find anything that works.

UU



#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:15 PM

Posted 02 January 2018 - 05:08 PM

I tweeted a hunt for it earlier. It doesn't look like BTCWare based on the format of not only the ransom note, but the encrypted files themselves. The identification on ID Ransomware may be a false positive due to the ransom note name.

 

We will need a sample of the malware itself for any analysis.

 

https://twitter.com/demonslay335/status/948210920228032512


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 willholt

willholt

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 02 January 2018 - 05:30 PM

Sorry, first thing I did was strip out the infected files.

Eset detected it as follows:

C:\Users\'Username'\AppData\Roaming\info.exe           a variant of Generik.KWVYBMS trojan   

C:\Users\'Username'\Downloads\mstsc.exe      a variant of Generik.KWVYBMS trojan  

I can supply a before and after affected file if that's any use?

UU



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:15 PM

Posted 02 January 2018 - 05:38 PM

Before and after won't really help in this case unless we find a cryptographic flaw in the malware. That info.exe looks most likely to be the payload. Is there a log of ESET with any more info such as a hash of that file?

 

When dealing with ransomware, deleting the malware is the last thing you want to do. Quarantining and disabling it is best until you know what you are dealing with.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:15 PM

Posted 03 January 2018 - 07:40 PM

I've been provided a sample of the malware, and we're currently taking a look at it. Definitely not BTCWare or anything like that. May be new.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 skwirlyman

skwirlyman

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 14 January 2018 - 09:27 AM

Demonslay,

I have also been affected with this variant.  How can I attach samples for your review?



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:15 PM

Posted 14 January 2018 - 11:12 AM

You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 willholt

willholt

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 14 January 2018 - 11:42 AM

If anyone wants to send me one of their encrypted files I'll test and see if the tool I have will decrypt it.



#10 Amigo-A

Amigo-A

  • Members
  • 416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:15 AM

Posted 14 January 2018 - 11:46 AM

The description of this variant of Rapid Ransomware was granted on January 2, 2018.

 

There are two variants of Ransom-notes with two different addresses:

rapid@rape.lol
jpcrypt@rape.lol

Edited by Amigo-A, 14 January 2018 - 11:49 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Пострадали от шифровальщика? Сообщите мне здесь. 


#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:15 PM

Posted 19 January 2018 - 01:36 PM

Might be helpful.

https://forums.malwarebytes.com/topic/219170-rapid-ransomware-undetected-by-enpoint-protection/

Hello!
All your files have been encrypted by us
If you want restore files write on e-mail - fileskey@qq.com or fileskey@cock.li

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:15 PM

Posted 19 January 2018 - 05:16 PM

I'm fairly certain it is secure, but haven't had time to continue analysis on it. It generates an RSA-1024 pair per run, and encrypts the private key of that with a hard-coded RSA-2048 public key. This encrypted key is saved to the registry (example below). The public key is saved in its raw CryptoAPI blob form, as it is what is used to encrypt files directly. Thus, it's very slow to run.

 

 

2018-01-19_1615.png


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 Amigo-A

Amigo-A

  • Members
  • 416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:15 AM

Posted 20 January 2018 - 03:07 AM

Might be helpful.

 

Aura

Thank you. 


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Пострадали от шифровальщика? Сообщите мне здесь. 


#14 MrL0c0

MrL0c0

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:15 AM

Posted 21 January 2018 - 07:37 AM

Hi my computer just go napped by som kind of ransomware but no one know what this is.

 

Hello!

All your files have been encrypted by us
If you want restore files write on e-mail - paymeme@cock.li or paymeme@india.com
 
 
Your ID:
*** Deleted***
 
Send me your ID and 1-3 small encrypted files(The total size of files must be less than 1Mb (non archived)) for free decryption. 
After that, I'll tell you the price for decryption all files.
 
HOW TO RECOVER ENCRYPTED FILES.TXT
decrypted filename: filename.doc.paymeme
 
 
As i can see it was an brute force attack via RDS.
files that was uses i believe is
intel - x64 bit.exe
intel - x86 bit.exe
no_sleep.bat
also 
in the register there is crypto info and also cryptkey licens service is running when start.
 
someone know what tis is?

Edited by MrL0c0, 21 January 2018 - 08:45 AM.


#15 MrL0c0

MrL0c0

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:15 AM

Posted 21 January 2018 - 10:15 AM

looks like Scrab by the link. any possibility for decryption?






3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users