A new ransomware is being spread called Rapid Ransomware that stays active after initially encrypting a computer and encrypts any new files that are created. While this behavior is not unique to Rapid, it is not a common behavior we see too often.

While it is not known how the Rapid Ransomware is being distributed, it has been infecting numerous people starting in January. According to statistics from ID-Ransomware, the first submitted case was on January 3rd and since then there have been over 300 submissions.  This is probably a small portion of the total victims, are there many who most likely did not utilize ID-Ransomware to identify the infection.

Rapid Ransomware Submissions to ID-Ransomware
Rapid Ransomware Submissions to ID-Ransomware

How Rapid Ransomware encrypts a computer

When the ransomware runs, it will clear the Windows shadow volume copies, terminate database processes, and disables automatic repair. The processes that are terminated are sql.exe, sqlite.exe, and oracle.com and the commands that are executed are:

vssadmin.exe Delete Shadow /All /Quiet
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures

Once these commands are executed, the ransomware will scan the computer for files to encrypt. When a file is encrypted it will have the .rapid extension appended to the encrypted file's name.

Encrypted Folder
Encrypted Folder

When the ransomware has finished encrypting a computer it will create ransom notes named How Recovery Files.txt in various folders including the Windows desktop. This ransom note will contain an email that the victim should contact to receive payment instructions.

Rapid Ransomware Ransom Note
Rapid Ransomware Ransom Note

This infection will also create autoruns that launch the ransomware on startup and display the ransom note. Information about these autoruns can be found in the IOCs below.

At this time, the Rapid Ransomware cannot be decrypted for free and it is unknown if the attackers provide the decryption key if a payment has been made.  For those who have been infected, we have a Rapid Ransomware Support & Help topic where victims can discuss the infection and receive support.

What to do if you are infected with Rapid Ransomware

As Rapid Ransomware continues to run and monitor for new files to encrypt after a computer is initially encrypted, it is important to shut it down as soon as possible.  Once a victim detects that they have been infected with Rapid Ransomware, they should immediately open up the Windows task manager and terminate the associated ransomware process.

If the computer has not been rebooted yet, then the running process may have any name. For example, our sample was named rapid.exe and you can see it running in the screenshot below. Actual victims will not have this file name running. If the computer has already been rebooted, the the ransomware process may be named info.exe.

Task Manager

Once you terminate the process, you start msconfig.exe and disable the autoruns. If you are unable to access the Windows task manager, you can reboot into Safe Mode with Networking and try from there.

How to protect yourself from the Rapid Ransomware

In order to protect yourself from ransomware, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.

You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections or heuristics.  For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.

Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:

  • Backup, Backup, Backup!
  • Do not open attachments if you do not know who sent them.
  • Do not open attachments until you confirm that the person actually sent you them,
  • Scan attachments with tools like VirusTotal.
  • Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
  • Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
  • Use hard passwords and never reuse the same password at multiple sites.

For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.

 

Related Articles:

GandCrab Devs Release Decryption Keys for Syrian Victims

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

Windows 10 Ransomware Protection Bypassed Using DLL Injection

New Reports Show Increased CyberThreats, User Risks Remain High

IOCs

Hashes:

125c2bcb0cd05512391a695f907669b2f55a8b69c9d4df2ce1b6c9c5a1395b61

Files Associated with the Rapid Ransomware:

%AppData%\info.exe
%AppData%\How Recovery Files.txt
%AppData%\recovery.txt

Registry Entries Associated with the Rapid Ransomware:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Encrypter"="%AppData%\info.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "userinfo"="%AppData%\recovery.txt"

Rapid Ransomware Email Addresses:

frenkmoddy@tuta.io
jpcrypt@rape.lol
support@fbamasters.com
unlockforyou@india.com
rapid@rape.lol
fileskey@qq.com
fileskey@cock.li

Rapid Ransomware Ransom Note:

Hello!
All your files have been encrypted by us
If you want restore files write on e-mail - frenkmoddy@tuta.io