A new variant of Rapid Ransomware is currently being distributed using malspam that pretends to be from the Internal Revenue Service. First detected by Derek Knight, this campaign is a mixup of countries with the IRS being a U.S. entity, the send being a UK email address, and the spam attachment being in German.

This malspam campaign is being sent with emails subjects like "Please Note - IRS Urgent Message-164" and state that the recipient is behind in real estate taxes. It then goes on to tell the recipient to open the attachment to see a compiled report on how much is owed

Rapid Ransomware Malspam
Rapid Ransomware Malspam

Attached to the email is a zip file called Notification-[number].zip. Inside these zip files is a malicious word document, where a victim needs to click on Enable Editing followed by Enable Content in order for the macros to run. When the macro runs, it will download the Rapid Ransomware executable and execute it.

Malicious Word Document
Malicious Word Document

Like the previous variant, Rapid Ransomware will scan a computer for data files and encrypt them. When encrypting a file it will append the .rapid extension to the encrypted file's name. For example, a file called test.jpg would be encrypted and renamed to test.jpg.rapid.

Encrypted Rapid Files
Encrypted Rapid Files

When Rapid Ransomware has finished encrypting a computer it will open numerous recovery.txt ransom notes in Notepad.  These ransom notes tell the victim to contact decryptsupport@airmail.cc or supportlocker@firemail.cc  in order to receive payment instructions.

Rapid Ransomware Ransom Note
Rapid Ransomware Ransom Note

Unlike many other ransomware infections, this ransomware will configure itself to start every time you login to the computer from the %UserProfile%\AppData\Roaming\info.exe folder.  The autorun for this entry is HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ "Encrypter_074 " = "%UserProfile%\AppData\Roaming\info.exe".

By setting itself to start on login, it allows the ransomware to encrypt news files as they are made. Therefore it is important to terminate the info.exe process associated with the Rapid Ransomware and then rename the file to something like rapid.exe.dis so it does not start again.

Unfortunately, at this time there is no way to decrypt Rapid Ransomware encrypted files for free. For those who wish to receive help with disabling this ransomware or have other questions, you can ask in our dedicated Rapid Ransomware Help & Support topic.

Related Articles:

Beware of Spam with Fake Invoices Pushing Hermes 2.1 Ransomware and AZORult

GandCrab Devs Release Decryption Keys for Syrian Victims

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

Windows 10 Ransomware Protection Bypassed Using DLL Injection