LUPike

Rapid Ransomware

By LUPike, in Help, my files are encrypted!

Recommended Posts

LUPike    0

LUPike
Posted

I have a PC (and data on a couple of network shares) that have been encrypted by Rapid/Paymeme. The ransomware set VSS to a limit of 0, then restarted the volsnap service and then stopped VSS (resulting in no previous versions on the local PC). It targeted a long list of typical file extensions, including image files (png, jpg, etc...), document files (txt, xls, xlsx, doc, etc...), data storage files (dbf, mdb, pst, etc...), and application files (exe, dll, etc...). The information I have discovered so far shows that the encryption is performed by a process (named either rapid.exe or info.exe, and running as a user account and NOT as system). Stopping the 'infection' symply means killing that process. I have done that.

I have already ran 'SpyHunter Malware' (recommended by another forum with several infections on it). That software did discover the registry entries for the software and the executable, and 'cleaned' them. The initial executable appears to have been a file in %Username%\desktop\Rapid-RU2.exe.

Is anyone at Emsisoft familiar with this threat? Are there existing decryptors available?

Thanks,

-LUPike

Share this post

Link to post
Share on other sites

GT500    841

GT500
Posted
7 hours ago, LUPike said:

I have already ran 'SpyHunter Malware' (recommended by another forum with several infections on it). That software did discover the registry entries for the software and the executable, and 'cleaned' them. The initial executable appears to have been a file in %Username%\desktop\Rapid-RU2.exe.

I would recommend avoiding SpyHunter when dealing with ransomware. While it may not always be the case, there was at least one incident in the past where SpyHunter deleted information critical to recovery of encrypted files, which suggests that their analysis of the ransomware may not have been very thorough.

 

We recommend getting started by uploading a copy of the ransom note and an encrypted file to ID Ransomware to see what it says about the ransomware you're dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste the link to the results here if you'd like for me to review them as well.

Share this post

Link to post
Share on other sites

LUPike    0

LUPike
Posted

Files attached.

My post was "LITERALLY" the first on Emsisoft for rapid. This variant hasn't been out very long, and very few outlets have any information on it. Let's try to capture as much info as possible.

FYI... the website the email and DNS is hosted through (rape.lol) is through a hosting company in Romania. A side-bar (has been reported as an alternate email address for the ransom) is 'cock.li'. That domain is registered through an individual (?) in Maine.

...someone please find me an address to these SOB's... I want to pay them a visit.

Analog Clock-Google.gg.rapid

Defaults.ini.rapid

 

 

sdb1m.inf.rapid

WelcomeFax.tif.rapid

Share this post

Link to post
Share on other sites

LUPike    0

LUPike
Posted

I stand corrected (beat you to it)... the owner of cock.li and rape.lol is Vincent Canfield. He lived in Maine, but apparently is now living in Romania... so, not surprising this stuff came from there. Apparently his services have already made main stream news.

Share this post

Link to post
Share on other sites

GT500    841

GT500
Posted
22 hours ago, LUPike said:

FYI... the website the email and DNS is hosted through (rape.lol) is through a hosting company in Romania. A side-bar (has been reported as an alternate email address for the ransom) is 'cock.li'. That domain is registered through an individual (?) in Maine.

...someone please find me an address to these SOB's... I want to pay them a visit.

It's probably either falsified information, or someone abusing a service provided by someone else. If the criminals making the ransomware are that stupid, then they'll be easy for law enforcement to catch.

 

It looks like there's no way to decrypt the files for free. They use secure encryption, and while their method for handling the private key is a bit odd, it still keeps us from being able to decrypt files without getting information from the ransomware's creators.

Share this post

Link to post
Share on other sites

LUPike    0

LUPike
Posted
7 hours ago, GT500 said:

It's probably either falsified information, or someone abusing a service provided by someone else. If the criminals making the ransomware are that stupid, then they'll be easy for law enforcement to catch.

 

It looks like there's no way to decrypt the files for free. They use secure encryption, and while their method for handling the private key is a bit odd, it still keeps us from being able to decrypt files without getting information from the ransomware's creators.

Thanks GT500.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go To Topic Listing

  • Recently Browsing   0 members

    No registered users viewing this page.