What is Rapid Ransomware?
The first outbreak of Rapid ransomware happened in late December 2017, and attacks gathered momentum into early 2018. There have been several updates to the Rapid ransomware payload, particularly in the first few months after release. This activity suggests that the malware authors operated a paid ransomware-as-a-service operation, most likely distributed over the dark web.
There have been several versions of Rapid ransomware. Rapid 1.0 was the initial strain, first identified in December 2017 through January of 2018. Rapid 2.0 followed in March 2018. The second version excluded all Russian-speaking countries by default, and the code updated to use of SHA-256 cipher encryption. In May of 2018, Rapid version 3.0 appeared, targeting solely English-speaking users. The ransomware demand was also exclusively set at 0.7 bitcoin (about $6000 today). Rapid 4.0, sometimes abbreviated to RDP, appeared in June of 2018. This version introduced a unique ID key, created to personalize the ransomware to the victim.
Rapid ransomware is particularly nasty, as even after initial encryption, the malware still functions in memory and encrypts any new files added to the operating system by the user. This unique technique, sometimes referred to as “realtime ransomware,” renders the victim’s computer practically unusable as long as Rapid remains on the system. Rapid ransomware attacks Microsoft Windows platforms, with Windows Server and Windows 10 being specifically targeted.
How Does Rapid Ransomware Work?
The primary delivery method for the Rapid ransomware is through a malicious spam email campaign. There are some reports of threat actors embedding the malware within fake website downloads and inside BitTorrent websites, but the majority of the impact has been the result of email trojans.
Initially, Rapid ransomware targeted users from the United States and some English–speaking parts of Europe. Fake Internal Revenue Service (IRS) emails containing the malware payload embedded inside a malicious zip attachment were a standard distribution method.
When the user opens the Rapid ransomware attachment, several hidden PowerShell processes spawn immediately, and the malware attempts to copy itself to any available admin shares. Rapid then attempts to delete Windows VSS shadow copies to prevent the victim from performing a system rollback after infection.
Next, a scheduled task is created to start the malware agent, and the Windows registry is updated to ensure the malicious agent starts upon boot-up. The ransomware then kills or disables any installed antivirus software and generates the encryption keys before encrypting the user’s files as well as any network-attached drives. Matrix stores its public and private encryption keys inside the Windows registry, located at HKCU\Software\EncryptKeys. All user files, such as pictures, documents, and databases, are next encrypted with the “.rapid” file extension.
How Do I Prevent Rapid Ransomware?
Educating users is the best way to limit the impact of any strain of ransomware. Like many other types of ransomware, Rapid spreads through a malicious email campaign that requires the user to open an infected attachment. Organizations should educate users to be extremely vigilant when opening any form of attachment.
Users need to know that the sender is from a known source, and users must assess each email before opening. Educate employees to consider questions like, “Am I expecting anything from the IRS?” and “Have I ever dealt with the IRS before?” Prior awareness of ransomware vector strategies will most likely encourage educated users to delete such an email upon arrival.
Fortunately, it is relatively easy to recognize the scam email used to spread the Rapid ransomware. The scam’s email message typically impersonated the IRS, and the IRS explicitly states on all public media that they do not contact users by email or text message. While the IRS is in the United States, some of the scam emails spoofed British local governments and UK–based email addresses.
Backups are an essential strategy to stay one step ahead of the threat of ransomware. Often the only way to roll back from a ransomware outbreak is to restore the system from a backup. Having the ability to restore an entire computer infrastructure from backup or to leverage a disaster recovery solution can mitigate the significant risk associated with ransomware.
The system administrator must keep all servers patched to the latest security levels. Ensure that your version Microsoft Windows is protected against the very latest known vulnerabilities by turning on automatic updates. Additionally, maintain daily antivirus updates and consider deploying an integrated anti-malware and endpoint monitoring technologies.
How Do I Remove Rapid Ransomware?
Unfortunately, there is no publicly available Rapid ransomware decryptor. If you are in the untenable position of not having a backup, and you urgently need your files, we recommend you contact the incident response experts at Tetra Defense.
Tetra Defense prioritizes restoration to get businesses back to where they were before the ransomware attack. We approach ransomware restoration and investigations simultaneously, so you return to normal operations at the same time you are getting answers.
Our teams are standing by to focus on what matters most: your business. We will investigate the ransomware outbreak and perform an initial assessment to identify the optimal course of action in response to the incident. If deemed necessary, we can conduct ransom negotiations and facilitate ransom payments as a last resort.
We remove the threat from your systems and conduct malware scans and network threat hunting. Tetra leverages each incident to learn from the ransomware attack and discover the root cause. Once we obtain the decryption keys, we decrypt the data and get systems restored to full functionality as quickly as possible. We also ensure that your network is secure from the vulnerabilities that allowed the ransomware attack to happen.