LUPike 0 Posted February 8, 2018 Report Share Posted February 8, 2018 I have a PC (and data on a couple of network shares) that have been encrypted by Rapid/Paymeme. The ransomware set VSS to a limit of 0, then restarted the volsnap service and then stopped VSS (resulting in no previous versions on the local PC). It targeted a long list of typical file extensions, including image files (png, jpg, etc...), document files (txt, xls, xlsx, doc, etc...), data storage files (dbf, mdb, pst, etc...), and application files (exe, dll, etc...). The information I have discovered so far shows that the encryption is performed by a process (named either rapid.exe or info.exe, and running as a user account and NOT as system). Stopping the 'infection' symply means killing that process. I have done that. I have already ran 'SpyHunter Malware' (recommended by another forum with several infections on it). That software did discover the registry entries for the software and the executable, and 'cleaned' them. The initial executable appears to have been a file in %Username%\desktop\Rapid-RU2.exe. Is anyone at Emsisoft familiar with this threat? Are there existing decryptors available? Thanks, -LUPike Quote Link to post Share on other sites
GT500 861 Posted February 9, 2018 Report Share Posted February 9, 2018 7 hours ago, LUPike said: I have already ran 'SpyHunter Malware' (recommended by another forum with several infections on it). That software did discover the registry entries for the software and the executable, and 'cleaned' them. The initial executable appears to have been a file in %Username%\desktop\Rapid-RU2.exe. I would recommend avoiding SpyHunter when dealing with ransomware. While it may not always be the case, there was at least one incident in the past where SpyHunter deleted information critical to recovery of encrypted files, which suggests that their analysis of the ransomware may not have been very thorough. We recommend getting started by uploading a copy of the ransom note and an encrypted file to ID Ransomware to see what it says about the ransomware you're dealing with:https://id-ransomware.malwarehunterteam.com/ You can paste the link to the results here if you'd like for me to review them as well. Quote Link to post Share on other sites
LUPike 0 Posted February 9, 2018 Author Report Share Posted February 9, 2018 Files attached. My post was "LITERALLY" the first on Emsisoft for rapid. This variant hasn't been out very long, and very few outlets have any information on it. Let's try to capture as much info as possible. FYI... the website the email and DNS is hosted through (rape.lol) is through a hosting company in Romania. A side-bar (has been reported as an alternate email address for the ransom) is 'cock.li'. That domain is registered through an individual (?) in Maine. ...someone please find me an address to these SOB's... I want to pay them a visit. Analog Clock-Google.gg.rapid Defaults.ini.rapid sdb1m.inf.rapid WelcomeFax.tif.rapid Quote Link to post Share on other sites
LUPike 0 Posted February 9, 2018 Author Report Share Posted February 9, 2018 I stand corrected (beat you to it)... the owner of cock.li and rape.lol is Vincent Canfield. He lived in Maine, but apparently is now living in Romania... so, not surprising this stuff came from there. Apparently his services have already made main stream news. Quote Link to post Share on other sites
GT500 861 Posted February 10, 2018 Report Share Posted February 10, 2018 22 hours ago, LUPike said: FYI... the website the email and DNS is hosted through (rape.lol) is through a hosting company in Romania. A side-bar (has been reported as an alternate email address for the ransom) is 'cock.li'. That domain is registered through an individual (?) in Maine. ...someone please find me an address to these SOB's... I want to pay them a visit. It's probably either falsified information, or someone abusing a service provided by someone else. If the criminals making the ransomware are that stupid, then they'll be easy for law enforcement to catch. It looks like there's no way to decrypt the files for free. They use secure encryption, and while their method for handling the private key is a bit odd, it still keeps us from being able to decrypt files without getting information from the ransomware's creators. Quote Link to post Share on other sites
LUPike 0 Posted February 10, 2018 Author Report Share Posted February 10, 2018 7 hours ago, GT500 said: It's probably either falsified information, or someone abusing a service provided by someone else. If the criminals making the ransomware are that stupid, then they'll be easy for law enforcement to catch. It looks like there's no way to decrypt the files for free. They use secure encryption, and while their method for handling the private key is a bit odd, it still keeps us from being able to decrypt files without getting information from the ransomware's creators. Thanks GT500. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.