Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rapid Ransomware (.rapid, .paymeme - ! How Recovery Files.txt) Support Topic


  • Please log in to reply
115 replies to this topic

#106 janeysmith

janeysmith

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 06 August 2018 - 03:49 PM


decrypt cost $1000 in bitcoins

after payment i give you software for decrypt all files.

test decrypt done.

file attached.

 

 

Sent with ProtonMail Secure Email.

 

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On 5 August 2018 7:03 PM, I wrote:

 

> Hey. Thanks for breaking my computer :-/

> What is necessary to uncorrupt the files?

> ID is 7E9XPHVC

> I attached an example file for you to show me if you can fix it.

 

Do not pay. You'll get nothing back!



BC AdBot (Login to Remove)

 


#107 rschalie

rschalie

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 06 August 2018 - 04:06 PM

 


decrypt cost $1000 in bitcoins

after payment i give you software for decrypt all files.

test decrypt done.

file attached.

 

 

Sent with ProtonMail Secure Email.

 

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On 5 August 2018 7:03 PM, I wrote:

 

> Hey. Thanks for breaking my computer :-/

> What is necessary to uncorrupt the files?

> ID is 7E9XPHVC

> I attached an example file for you to show me if you can fix it.

 

Do not pay. You'll get nothing back!

 

Are you speaking from -unfortunate- personal experience (i.e. you paid the $1000 but did not get decryption software in return?)



#108 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:34 AM

Posted 07 August 2018 - 07:34 AM

Most security experts will advise against paying the ransom demands of the malware writers because doing so only helps to finance their criminal enterprise and keep them in business. One of the reasons that folks get infected is because someone before them paid the bad guys to decrypt their data. The more people that pay the ransom, the more cyber-criminals are encouraged to keep creating ransomware for financial gain. Further, there is never a guarantee that paying the ransom will actually result in the restoration (decryption) of your files.

As typical with ransomware infections, some victims have reported they paid the ransom and were successful in decrypting their data. Other victims have reported paying the ransom only to discover the criminals wanted more money...demanding additional payments with threats the data would be destroyed or exposed. Still others have reported they paid but the cyber-criminals did not provide a decryptor or a key to decrypt the files, while others reported the decryption software and/or key they received did not work, resulted in errors and in some cases caused damage to the files. Most cyber-criminals provide instructions in the ransom note that allow their victims to submit one or two limited size files for free decryption as proof they can decrypt the files. However, decryption in bulk may not always work properly or work at all and decryption of very large files may be unsuccessful even with the criminal's decyption tool.

In some cases victims may actually be dealing with scam ransomware where the malware writers have no intention or capability of decrypting files after the ransom is paid. There is never a guarantee decryption will be successful or that the decrypter provided by the cyber-criminals will work as they claim and using a faulty or incorrect decryptor may cause additional damage or corruption of files. The criminals may even send you something containing more malware...so why should you trust anything provided by those who infected you in the first place.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#109 janeysmith

janeysmith

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 07 August 2018 - 03:00 PM

 

 


decrypt cost $1000 in bitcoins

after payment i give you software for decrypt all files.

test decrypt done.

file attached.

 

 

Sent with ProtonMail Secure Email.

 

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On 5 August 2018 7:03 PM, I wrote:

 

> Hey. Thanks for breaking my computer :-/

> What is necessary to uncorrupt the files?

> ID is 7E9XPHVC

> I attached an example file for you to show me if you can fix it.

 

Do not pay. You'll get nothing back!

 

Are you speaking from -unfortunate- personal experience (i.e. you paid the $1000 but did not get decryption software in return?)

 

Yes I wrote the above and quoted the email communications, but the quote somehow got broken up by the forum software here.



#110 janeysmith

janeysmith

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 07 August 2018 - 03:02 PM

Most security experts will advise against paying the ransom demands of the malware writers because doing so only helps to finance their criminal enterprise and keep them in business. One of the reasons that folks get infected is because someone before them paid the bad guys to decrypt their data. The more people that pay the ransom, the more cyber-criminals are encouraged to keep creating ransomware for financial gain. Further, there is never a guarantee that paying the ransom will actually result in the restoration (decryption) of your files.

As typical with ransomware infections, some victims have reported they paid the ransom and were successful in decrypting their data. Other victims have reported paying the ransom only to discover the criminals wanted more money...demanding additional payments with threats the data would be destroyed or exposed. Still others have reported they paid but the cyber-criminals did not provide a decryptor or a key to decrypt the files, while others reported the decryption software and/or key they received did not work, resulted in errors and in some cases caused damage to the files. Most cyber-criminals provide instructions in the ransom note that allow their victims to submit one or two limited size files for free decryption as proof they can decrypt the files. However, decryption in bulk may not always work properly or work at all and decryption of very large files may be unsuccessful even with the criminal's decyption tool.

In some cases victims may actually be dealing with scam ransomware where the malware writers have no intention or capability of decrypting files after the ransom is paid. There is never a guarantee decryption will be successful or that the decrypter provided by the cyber-criminals will work as they claim and using a faulty or incorrect decryptor may cause additional damage or corruption of files. The criminals may even send you something containing more malware...so why should you trust anything provided by those who infected you in the first place.

Yep you are right. Do not pay them. Definitely this person file.wtf@protonmail.com runs off with your money.



#111 pastilha

pastilha

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 09 August 2018 - 03:10 PM

@IAmDevin

 

I'm not discouraging conning criminals per-se, just letting you know to be careful talking about such things in places where the malware devs would be. :wink:

 

And reverse engineering the decrypter does no good, we've already done that. I have my own decrypter that works if given the right key, the encryption logic is not the problem. It's the key that you need, and it is different per victim. They use a few master public RSA-2048 keys to encrypt everyone's individually generated RSA-1024 keys, and you can only decrypt your individual key using the private RSA-2048 keys that they have. Each individual file has its own securely generated AES-256 key that is stored in the file after it has been encrypted by your individual RSA-1024 private key, which, once again, is encrypted by their public RSA-2048 key.

 

Backups are your only real option, or hoping that the private keys are leaked/seized in the future.

 

@Demonslay335
 
I have in hands a PC which got attacked by rapid. It got in by a brute force on RDP, but that doesn't matter for now.
"How Recovery Files.txt" / unique ID... yada, yada...
The payload that was left is info.exe, with SHA256: 7d98972d5c78e1d4969da76856d6818942b606c267efa67fd31d39ae77497e9c, already on virustotal, as usual.
 
The one thing that happened and I didn't saw mentioned on this thread, is that one of its executions crashed and left about a (huge) 650MB of a crashdump (.hdmp).
I still haven't got time to analyse it more, but it seems that (unfortunately) it wasn't from the first run.
I can see in two places (in memory) an string with (...) ID-xxxxxx that doesn't match the one that was left all over the text files... damn!
But still...
From your findings, would it be possible that for some kind of memory leak (un-disposed pointer, structure or something) may have left behind the AES keys or even the unencrypted RSA key (if ?! generated locally) ?
I see a looooots of filenames on the dump... Almost all of them (if not all) already have the .rapid extension... Also, some binary between filenames...
This PC had a lot of files on 2 drives. Maybe there was a memory/structure/list leak during enumeration and made it crash.
I would suppose that the AES keys (for each file) "could" be found on this dump.
And what about the RSA key?
As I understand, it is generated on the PC, and encrypted by the hacker's public key.
Is there a possibility that it could be left clear, if the encryptor dies/crashes and windows snaps a dump?
Thanks for your time and effort.


#112 skipitout

skipitout

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 16 August 2018 - 04:39 PM

Hi all, im new to forum.

Like many of you, we got hit also with ransomware .rapid.

The hacker got in the server by Windows RDP. We had no backups and agreed to pay (please do not judge us).

The hacker sent a .exe file that he claims that will decrypt data, however in the process we are getting messages like :

"Error decode session key" and "Error invalid decode session key". So it didnt work. Do not pay.

Meanwhile, after a sugestion from reddit user, I've sent an PM to Demonslay335 to have his tool tested.

If have other suggestion, i apreciate your sharing.

Thank you



#113 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:34 AM

Posted 16 August 2018 - 05:09 PM

Ok. Please be patient. Demonslay335 is a volunteer...he is inundated with numerous support requests and it may take some time to get a reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#114 outrageous

outrageous

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 11 September 2018 - 09:54 AM

any official decryptor? 

 

just got striked by it



#115 Spies

Spies

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 11 September 2018 - 11:55 AM

No decrypter yet, you could try tricking them into sending you the decryption key by faking the bitcoin receipt.

#116 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:34 AM

Posted 11 September 2018 - 03:01 PM

There is no known method to decrypt files encrypted by Rapid Ransomware without paying the ransom and obtaining the private RSA keys from the criminals. The encryption process generates an RSA-1024 pair per run and encrypts the private key with a hard-coded RSA-2048 public key...here. Demonslay335 advised he has a decrypter for victims who have paid the ransom and received the criminal's key.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users