I'm not discouraging conning criminals per-se, just letting you know to be careful talking about such things in places where the malware devs would be.
And reverse engineering the decrypter does no good, we've already done that. I have my own decrypter that works if given the right key, the encryption logic is not the problem. It's the key that you need, and it is different per victim. They use a few master public RSA-2048 keys to encrypt everyone's individually generated RSA-1024 keys, and you can only decrypt your individual key using the private RSA-2048 keys that they have. Each individual file has its own securely generated AES-256 key that is stored in the file after it has been encrypted by your individual RSA-1024 private key, which, once again, is encrypted by their public RSA-2048 key.
Backups are your only real option, or hoping that the private keys are leaked/seized in the future.
I have in hands a PC which got attacked by rapid. It got in by a brute force on RDP, but that doesn't matter for now.
"How Recovery Files.txt" / unique ID... yada, yada...
The payload that was left is info.exe, with SHA256: 7d98972d5c78e1d4969da76856d6818942b606c267efa67fd31d39ae77497e9c, already on virustotal, as usual.
The one thing that happened and I didn't saw mentioned on this thread, is that one of its executions crashed and left about a (huge) 650MB of a crashdump (.hdmp).
I still haven't got time to analyse it more, but it seems that (unfortunately) it wasn't from the first run.
I can see in two places (in memory) an string with (...) ID-xxxxxx that doesn't match the one that was left all over the text files... damn!
From your findings, would it be possible that for some kind of memory leak (un-disposed pointer, structure or something) may have left behind the AES keys or even the unencrypted RSA key (if ?! generated locally) ?
I see a looooots of filenames on the dump... Almost all of them (if not all) already have the .rapid extension... Also, some binary between filenames...
This PC had a lot of files on 2 drives. Maybe there was a memory/structure/list leak during enumeration and made it crash.
I would suppose that the AES keys (for each file) "could" be found on this dump.
And what about the RSA key?
As I understand, it is generated on the PC, and encrypted by the hacker's public key.
Is there a possibility that it could be left clear, if the encryptor dies/crashes and windows snaps a dump?
Thanks for your time and effort.