Home Malware Programs Ransomware Rapid Ransomware

Rapid Ransomware

Posted: January 3, 2018

Threat Metric

Ranking: 15,861
Threat Level: 2/10
Infected PCs: 21
First Seen: April 9, 2023
Last Seen: October 14, 2023
OS(es) Affected: Windows

The Rapid Ransomware is a Trojan that locks your files with the AES encryption before delivering ransom notes to make you pay for unlocking them. These attacks may include other symptoms besides those noted above, such as erased backups, problems using default security features, or cosmetic changes to the desktop or the names of your media. Having an anti-malware program remove the Rapid Ransomware automatically and restoring any files from a backup is the safest recovery method available to most users.

A Rapidly-Arising Problem of Data Attacks

What may be a new case of a RaaS or Ransomware-as-a-Service at play is being deployed against the public, using infection methods that malware experts only can speculate. These attacks are leveraging a new Trojan, the Rapid Ransomware, to block media and deliver ransoming messages. With the evidence available for analysis, it remains probable that more than one set of threat actors are using the Rapid Ransomware in their misdeeds.

Although there are at least two variants of this threat, all the Rapid Ransomware infections show relatively consistent symptoms:

  • The Rapid Ransomware locks traditional formats of media, such as DOC documents, PDF documents, or JPG pictures, by encoding them with an AES algorithm. The Rapid Ransomware may employ additional encryption for the key it generates from this procedure.
  • Most file-locking Trojans mark the names of any files they block in some way, such as by adding a new extension. Both versions of the Rapid Ransomware use the same extension, so far (.'rapid').
  • Malware experts are finding two types of ransom notes generated in Notepad format for the Rapid Ransomware's victims. Both of them request negotiations for paying for the decryptor over e-mail and differ from each other by the address they promote primarily.

Although the Rapid Ransomware's payload is very similar to the primary families of file-locking threats, including Hidden Tear, EDA2, and the Crysis Ransomware, it has yet to be identifiable as a member of any of these collectives. Many file-locking Trojans include one or more means of protection against third-party decryptors, and users should schedule backups to protect any vulnerable media from the Rapid Ransomware's possibly permanent encoding routine accordingly.

Slowing Down the Profits of Digital Media Kidnapping

Because more than one group of threat actors are deploying the Rapid Ransomware, its infection methods may vary. Some of the most archetypal of the past year include compromised e-mail attachments and manual, RDP installations over brute force-compromised networks. Users who scan all their downloads with security solutions, maintain an awareness of potentially unsafe content (such as a website's JavaScript or a document's macros), and avoid weak passwords can protect their files from most infection strategies.

The Rapid Ransomware's campaign is recently-dated, with limited distribution and availability of samples to the AV sector. Victims without any other recourse may want to contact reputable researchers in the industry for consultation on whether or not a free decryption program's development is practical. In this event, you may wish for your anti-malware solutions to quarantine the Rapid Ransomware for future analysis, instead of deleting it.

The New Year is off to a quick start with file-locker campaigns, reminding PC users that holidays aren't a good excuse for ignoring your backups. Trojans like the Rapid Ransomware and their extortionist administrators are fully capable of working while on 'vacation.'

Update 3.0

The Rapid 3.0 Ransomware is a variant of the Rapid Ransomware, which has been active for just a few days and has already managed to find victims in a dozen countries around the globe. The threat does not future any major code improvements compared to previously released variants, but the attackers appear to use a new TOR-based payment portal found at 'http://vgon3ggilr4vu32q.onion.' The people behind the Rapid 3.0 Ransomware are using spam e-mails to find victims. Their propagation method works by sending fraudulent messages from spoofed e-mail addresses so that the message would seem as if it was sent by a reputable company. Usually, the messages contain either a corrupted attachment or a download link, which points the victim to the unsafe payload of the Rapid 3.0 Ransomware.

If the Rapid 3.0 Ransomware is executed on a PC without sufficient protection, the threat will need just a few minutes to complete its attack. This file-encryption Trojan targets a broad range of file formats including but not limited to documents, images, archives, backups, videos and audio recordings. The Rapid 3.0 Ransomware's attack also will wipe the Shadow Volume Copies, therefore making it very unlikely that the victims will be able to recover any of their files via 3rd-party file restoration utilities. The ransom note does not reveal much since its purpose is to refer the victim to a TOR-based payment page where victims can find out more about their recovery options. The attackers ask for a fixed ransom amount of 0.07 BTC and have provided a contact form, which victims can use to submit the Bitcoin transaction ID, their e-mails, and the extension used to mark the encrypted files. In addition to this, the Rapid 3.0 Ransomware's authors have listed the address demonslay335@rape.lol as an alternate contact method.

Although the price of 0.07 BTC (about $600) might seem reasonable, we advise victims not to send any money to these people since the chance of being tricked is too high. The recommended way to deal with undecryptable ransomware is to use a trustworthy anti-virus tool to dispose of the threatening software and prevent it from causing any more damage. Sadly, this will not undo the damage caused to the files. However, we advise victims of the threat to save all locked data since its decryption might become possible in the future.

Technical Details

Additional Information

The following URL's were detected:
anyfinder.xyz

Related Posts

Loading...