Installation

When the targets open the malicious zip fie attachment, it causes a PowerShell process to be spawned and cause Rapid attempts to copy itself to any available admin shares. After the threat actor has gained remote access to the network, the payload downloaded to a compromised machine and then installs itself into “%APPDATA%/Roaming/” under the name of “info.exe” and configures itself into the system registry as an auto-run item so it will run whenever the compromised machine starts and therefore has the ability to check for newly created files and encrypt them. The threat actor also uses the windows utility “bcdedit.exe” to disable windows automatic repair mode.
Rapid will attempt to kill processes and stop services related to antivirus, database, backup, and document editing software from a list of predefined service and process names by executing “taskkill” and “net stop”. And then Rapid attempts to scan the network for shadow copies and then deletes any shadow copies that were found to ensure that the victims will not be able to recover their encrypted files.

Encryption

In preparation for encryption, Rapid attempts to terminates any files related to databases like SQL and Oracle to allow for Rapid to gain access to the database files. Then Rapid starts to encrypt all found files on fixed, removable, and network drives. Rapid ransomware generates a unique AES 256-bit key for every file and then encrypts the AES key with the hardcoded RSA public key. Then Rapid encrypts files with the AES file key and overwrites the original content with the encrypted content. Finally Rapid adds the extension ‘.rapid’ to every filename of each file encrypted.