A new variant of Rapid Ransomware is currently being distributed using malspam that pretends to be from the Internal Revenue Service. First detected by Derek Knight, this campaign is a mixup of countries with the IRS being a U.S. entity, the send being a UK email address, and the spam attachment being in German.
This malspam campaign is being sent with emails subjects like "Please Note - IRS Urgent Message-164" and state that the recipient is behind in real estate taxes. It then goes on to tell the recipient to open the attachment to see a compiled report on how much is owed
Attached to the email is a zip file called Notification-[number].zip. Inside these zip files is a malicious word document, where a victim needs to click on Enable Editing followed by Enable Content in order for the macros to run. When the macro runs, it will download the Rapid Ransomware executable and execute it.
Like the previous variant, Rapid Ransomware will scan a computer for data files and encrypt them. When encrypting a file it will append the .rapid extension to the encrypted file's name. For example, a file called test.jpg would be encrypted and renamed to test.jpg.rapid.
When Rapid Ransomware has finished encrypting a computer it will open numerous recovery.txt ransom notes in Notepad. These ransom notes tell the victim to contact decryptsupport@airmail.cc or supportlocker@firemail.cc in order to receive payment instructions.
Unlike many other ransomware infections, this ransomware will configure itself to start every time you login to the computer from the %UserProfile%\AppData\Roaming\info.exe folder. The autorun for this entry is HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ "Encrypter_074 " = "%UserProfile%\AppData\Roaming\info.exe".
By setting itself to start on login, it allows the ransomware to encrypt news files as they are made. Therefore it is important to terminate the info.exe process associated with the Rapid Ransomware and then rename the file to something like rapid.exe.dis so it does not start again.
Unfortunately, at this time there is no way to decrypt Rapid Ransomware encrypted files for free. For those who wish to receive help with disabling this ransomware or have other questions, you can ask in our dedicated Rapid Ransomware Help & Support topic.
Comments
Hidemik - 5 years ago
Today, october the 21st 2019, I have been contacted by a person. His server was hit by a ransomware that, according to ID Ransomware, is a Rapid variant. File info.exe was found on "%UserProfile%\AppData\Roaming\info.exe" folder and autorun for this entry was HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ "Encrypter_074 " as mentioned in your article.
I can give those informations:
1) file names changed to random sequence of 10 characters (numbers and letters).
2) Extension for all encypted files is .guesswho
3) Previous extensions are not visible
4) Ransom note is a file called "How Recover Files.txt)
5) Seems like all files are smaller once encrypted (1st time I see a similar thing)
The ransom notes are different: I have found 3 kind of txt files: they are all similar but they have, in total, 4 different unique ID (and hacker told me by email that each unique ID needs a separate decrypter).
No shadow copies on infected servers. Backup on NAS was ecompletely erased.
I think I will not have many chance to recover any file.
Hope those informations can be usefull.
Please consider: hacker accessed server forcing RDP. Close RDP on your server should be a good security issue.