RAPID RANSOMWARE
Introduction
Rapid ransomware made its first appearance in 2017 as it was being distributed through phishing campaigns of Fake Internal Revenue Service (IRS) emails with a malicious zip attachment.
Attacks involving the active variants of Rapid ransomware have been frequent and have been recorded to target organisations of small to medium size from many countries including USA and Europe.
There is no decryptor for any of the active variants of the Rapid ransomware and the average ransom required is $9250 which can be paid via emails or Tor chat link addresses provided in the ransomware note.
Modus Operandi
Initial access
The threat actor would send a phishing email with a malicious zip file attachment that would contain the Rapid ransomware payload. Although there have been some reports of threat actors embedding the malware within fake website downloads and inside BitTorrent websites.
Installation
When the targets open the malicious zip fie attachment, it causes a PowerShell process to be spawned and cause Rapid attempts to copy itself to any available admin shares. After the threat actor has gained remote access to the network, the payload downloaded to a compromised machine and then installs itself into “%APPDATA%/Roaming/” under the name of “info.exe” and configures itself into the system registry as an auto-run item so it will run whenever the compromised machine starts and therefore has the ability to check for newly created files and encrypt them. The threat actor also uses the windows utility “bcdedit.exe” to disable windows automatic repair mode.
Rapid will attempt to kill processes and stop services related to antivirus, database, backup, and document editing software from a list of predefined service and process names by executing “taskkill” and “net stop”. And then Rapid attempts to scan the network for shadow copies and then deletes any shadow copies that were found to ensure that the victims will not be able to recover their encrypted files.
Encryption
In preparation for encryption, Rapid attempts to terminates any files related to databases like SQL and Oracle to allow for Rapid to gain access to the database files. Then Rapid starts to encrypt all found files on fixed, removable, and network drives. Rapid ransomware generates a unique AES 256-bit key for every file and then encrypts the AES key with the hardcoded RSA public key. Then Rapid encrypts files with the AES file key and overwrites the original content with the encrypted content. Finally Rapid adds the extension ‘.rapid’ to every filename of each file encrypted.