Rapid 2.0 Ransomware

Posted: March 27, 2018

Rapid 2.0 Ransomware Description

The Rapid 2.0 Ransomware is an update of the Rapid Ransomware, a RaaS-based threat that the con artists can rent for locking the files of their victims with encryption. This data-encrypting attack can render the user's data unusable, potentially, until they pay a ransom. Potential victims should uphold stringent network security standards and keep backups to reduce this risk, and always use anti-malware programs for removing the Rapid 2.0 Ransomware safely from any compromised PC.

Rapid Updates to Trojan Rental Services

The authors of the Ransomware-as-a-Service family of the Rapid Ransomware are issuing an update to the Rapid 2.0 Ransomware, that shows slightly different behavior from the Trojan's first version. However, its identifying attacks are unaltered: using data encryption for blocking the digital media of any victims, and, then, dropping ransom demands in Notepad files. Malware experts are estimating that the Rapid 2.0 Ransomware is in live deployment against the servers of entities in the business sector, with one, specific exception.

The Rapid 2.0 Ransomware employs a GetLocale function for determining the infected PC's region, and self-terminates without launching its payload if it identifies the machine as being Russian. This filtering mechanism is a typical inclusion for threat actors trying to avoid drawing the attention of Russian law enforcement, which, traditionally, ignores the operations of cyber-crooks targeting foreigners. However, this filter doesn't protect any PCs elsewhere.

With that caveat, the Rapid 2.0 Ransomware, otherwise, launches data-encrypting attacks of high similarity to the Rapid Ransomware's AES-based ones. This version of the Trojan generates a new extension in each infection, and also overwrites the rest of the filename of any data that it locks. The Rapid 2.0 Ransomware finishes by creating a Notepad ransom note in the same folder as the encrypted media, which gives the victim an e-mail address for negotiating. Malware experts discourage that solution, as a result of the unreliability of depending on threat actors for delivering services after the victim pays them by non-refundable means.

Slowing Down the Rapid 2.0 Ransomware's Collection of Ransoms

While malware experts are rating the Rapid 2.0 Ransomware as mostly operational in status, its threat actors are omitting any code obfuscation or packing methods that would conceal the Trojan's identity and encryption routine. Therefore, more work is anticipated on the Rapid 2.0 Ransomware before it begins deploying itself in significant numbers. In the past, the Rapid 2.0 Ransomware's family has used different infection methods, as per its 'client' threat actors' preferences, including IRS-themed spam e-mail. Victims should monitor e-mail messages for attachments that could include hostile content, such as macros.

A free decryption service for the Rapid 2.0 Ransomware doesn't, and may never exist. Users without backups always take the risk of having their files blocked by non-consensual encryption methods that Trojans like the Rapid 2.0 Ransomware can implement in seconds, without any warning signs. Malware experts also warn that many threat actors are targeting Russian-based systems, despite the Rapid 2.0 Ransomware's configuration for avoiding the residents of that nation. Having a backup and keeping anti-malware programs for deleting the Rapid 2.0 Ransomware preemptively are the best forms of protection.

The beginning stage of the Rapid 2.0 Ransomware's roll-out tells malware experts a little more about how its RaaS business operates, but that details may not mean much to those whose documents and other media it damages. Russians may not need to worry about the Rapid 2.0 Ransomware, but there are other file-locking Trojans interested in sabotaging their data, in its place.

Update 3.0

The Rapid 3.0 Ransomware is a variant of the Rapid Ransomware, which has been active for just a few days and has already managed to find victims in a dozen countries around the globe. The threat does not future any major code improvements compared to previously released variants, but the attackers appear to use a new TOR-based payment portal found at 'http://vgon3ggilr4vu32q.onion.' The people behind the Rapid 3.0 Ransomware are using spam e-mails to find victims. Their propagation method works by sending fraudulent messages from spoofed e-mail addresses so that the message would seem as if it was sent by a reputable company. Usually, the messages contain either a corrupted attachment or a download link, which points the victim to the unsafe payload of the Rapid 3.0 Ransomware.

If the Rapid 3.0 Ransomware is executed on a PC without sufficient protection, the threat will need just a few minutes to complete its attack. This file-encryption Trojan targets a broad range of file formats including but not limited to documents, images, archives, backups, videos and audio recordings. The Rapid 3.0 Ransomware's attack also will wipe the Shadow Volume Copies, therefore making it very unlikely that the victims will be able to recover any of their files via 3rd-party file restoration utilities. The ransom note does not reveal much since its purpose is to refer the victim to a TOR-based payment page where victims can find out more about their recovery options. The attackers ask for a fixed ransom amount of 0.07 BTC and have provided a contact form, which victims can use to submit the Bitcoin transaction ID, their e-mails, and the extension used to mark the encrypted files. In addition to this, the Rapid 3.0 Ransomware's authors have listed the address demonslay335@rape.lol as an alternate contact method.

Although the price of 0.07 BTC (about $600) might seem reasonable, we advise victims not to send any money to these people since the chance of being tricked is too high. The recommended way to deal with undecryptable ransomware is to use a trustworthy anti-virus tool to dispose of the threatening software and prevent it from causing any more damage. Sadly, this will not undo the damage caused to the files. However, we advise victims of the threat to save all locked data since its decryption might become possible in the future.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Rapid 2.0 Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Home Malware Programs Ransomware Rapid 2.0 Ransomware

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.