Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rapid Ransomware (.rapid, .paymeme - ! How Recovery Files.txt) Support Topic


  • Please log in to reply
96 replies to this topic

#91 devintrouble1984

devintrouble1984

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 12 June 2018 - 10:47 AM

For those who want a copy of the encrypted files here's a link of a .rapid file and the txt recovery message.

 

Also, I read the article on this topic and I noticed that the emails listed there did not inlcuded the email I got in my recovery file. The email I was told is codermvare@cock.li



BC AdBot (Login to Remove)

 


#92 devintrouble1984

devintrouble1984

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 12 June 2018 - 01:17 PM

if you are from Russia you may ask them for a "free decryptor"

 

Is it free for Russians?



#93 Amigo-A

Amigo-A

  • Members
  • 481 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:05:55 PM

Posted 12 June 2018 - 01:22 PM

Nationality is not important, the main thing is that the IP of PC is Russian Federation and the PC is running the Russian version of Windows.


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#94 trendcyb

trendcyb

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 12 June 2018 - 03:36 PM

Hi at all,

I have been infected with the .rapid virus. Can I know if you have a way to decrypt the files? Thanks so much



#95 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:55 AM

Posted 12 June 2018 - 05:31 PM

Unfortunately, there is no known method to decrypt files encrypted by Rapid Ransomware. Demonslay335 explains the encryption process (it generates an RSA-1024 pair per run, and encrypts the private key of that with a hard-coded RSA-2048 public key) here.

Demonslay335 also advised he has a decrypter for victims who have paid the ransom and received the criminal's key...send him a PM with a link to the decrypter they supplied you, and he can extract the private key to try with his decrypter. However, be aware that...

The malware handles large files differently, and their decrypter doesn't work with them. I'm still trying to factor for this in my own decrypter (which still requires the criminal's key).


Without the master private RSA key that can be used to decrypt your files, decryption is impossible. Your best option is to restore from backups, try file recovery software or backup/save your encrypted data as is and wait for a possible solution at a later time. Ignore all Google searches which provide links to bogus and untrustworthy removal/decryption guides.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#96 devintrouble1984

devintrouble1984

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 12 June 2018 - 06:28 PM

We contacted with the server service provider, and this is the information that we've got:
 
There was a new administrator account called ANONYM, but the encryptation wasn't made from that account (which is very odd since we didn't created that account), instead, the account of a coworker was used. But as soon as he was notified and his work enviroment was checked, he wasn't the author of this encryptation, still we think his computer might have been a tool for the Ransomeware. The evidence shows that the account and password were duplicated by the hackers and they logged in the first try.
 
The encryptation occured between 6:20 and 6:30 am (tho, I'm not sure what time zone, since the provider, the servers and us are in different time zones) and from this IP adresses:
5.39.220.4 (from Amsterdam)
45.227.252.57 (from Willemstad)
185.156.177.14 (from Amsterdam too)
 
Then the shadow copy process started:
6/12/2018 6:19:16 AM
The Volume Shadow Copy service entered the running state.
6/12/2018 6:22:18 AM
The Volume Shadow Copy service entered the stopped state.
.
6/12/2018:06:27:44 AM
The Encrypting File System (EFS) service entered the running state.
6/12/2018:06:27:44 AM
The start type of the Encrypting File System (EFS) service was changed from demand start to auto start.
 
The rest of the information is related with the article posted in the blog.


#97 josemaria7

josemaria7

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 13 June 2018 - 09:36 AM

http://prntscr.com/juiiq3

 

Hello everyone, as a computer specialist, I am, among other things, helping clients to recover data or to make mediation in payment.

In the three and a half years that I have been in this, nobody that I paid for a tool, has deceived me... 
Until this week that I paid $ 1000 to "restore@wizrac.com" on his wallet 1Cn8ThuXTiAyA42nHxSi5PuFwvxZSFrmvr. 
Email communication was always quickly ... until I paid him.After several communications begging him to send us the tool, he responded that on Saturday 9 he would send us it.Logically, he deceived me: he did not send me nothing. Until now, I told all clients that "you were reliable people" because in all cases I did the intermediation in the payment, immediately I received the decryption tool.

 

I just want you to take into account that, this colleague of yours, is deceiving people and that he does not give the tool even if it is paid.

 

Logically, to the future clients I will also tell that there is no security to pay because it may be paid and that the tool is not obtained nor the money back.

 

This all you owe to  your friend "restore@ wizrac.com" who is an expert fooling people

 

Thanks for your attention.

 

 

 

http://prntscr.com/juiiq3






4 user(s) are reading this topic

0 members, 4 guests, 0 anonymous users