First discovered in January 2018, Rapid Ransomware appends .rapid to the names of encrypted files and drops a ransom note named How Recovery Files.txt onto the desktop and in various folders on infected systems. After it completes the initial encryption process, Rapid Ransomware stays active, looking for any newly created files, and encrypts them as well. It does this by creating autoruns designed to launch the ransomware and display the ransom note every time the infected system is started. Rapid Ransomware terminates database processes including sql.exe, sqlite.exe, and oracle.com, clears Windows shadow volume copies, and disables automatic repair. According to the the online ransomware identification service, ID Ransomware, over 300 files associated with Rapid Ransomware infections have been submitted to its database since January 3, 2018, suggesting this is a very active campaign. It is currently unknown how this variant is distributed.
2/12/2018: A malspam campaign is now distributing Rapid Ransomware via emails that appear to be official correspondence from the Internal Revenue Service (IRS). Zip files attached to these emails contain a malicious word document that will download Rapid Ransomware if macros are enabled to run. Encrypted files are appended with .rapid and several ransom notes named recovery.txt are created and opened in Notepad.
Email addresses associated with Rapid Ransomware:
email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com.
- Bleeping Computer provides additional information on Rapid Ransomware here.
- The NJCCIC is not currently aware of any free decryption tools available for Rapid Ransomware.
Image Source: Bleeping Computer