Rapid 2.0 Ransomware

Posted: March 27, 2018

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Ranking:	15,861
Threat Level:	2/10
Infected PCs:	21

First Seen:	April 9, 2023
Last Seen:	October 14, 2023
OS(es) Affected:	Windows

The Rapid 2.0 Ransomware is an update of the Rapid Ransomware, a RaaS-based threat that the con artists can rent for locking the files of their victims with encryption. This data-encrypting attack can render the user's data unusable, potentially, until they pay a ransom. Potential victims should uphold stringent network security standards and keep backups to reduce this risk, and always use anti-malware programs for removing the Rapid 2.0 Ransomware safely from any compromised PC.

Rapid Updates to Trojan Rental Services

The authors of the Ransomware-as-a-Service family of the Rapid Ransomware are issuing an update to the Rapid 2.0 Ransomware, that shows slightly different behavior from the Trojan's first version. However, its identifying attacks are unaltered: using data encryption for blocking the digital media of any victims, and, then, dropping ransom demands in Notepad files. Malware experts are estimating that the Rapid 2.0 Ransomware is in live deployment against the servers of entities in the business sector, with one, specific exception.

The Rapid 2.0 Ransomware employs a GetLocale function for determining the infected PC's region, and self-terminates without launching its payload if it identifies the machine as being Russian. This filtering mechanism is a typical inclusion for threat actors trying to avoid drawing the attention of Russian law enforcement, which, traditionally, ignores the operations of cyber-crooks targeting foreigners. However, this filter doesn't protect any PCs elsewhere.

With that caveat, the Rapid 2.0 Ransomware, otherwise, launches data-encrypting attacks of high similarity to the Rapid Ransomware's AES-based ones. This version of the Trojan generates a new extension in each infection, and also overwrites the rest of the filename of any data that it locks. The Rapid 2.0 Ransomware finishes by creating a Notepad ransom note in the same folder as the encrypted media, which gives the victim an e-mail address for negotiating. Malware experts discourage that solution, as a result of the unreliability of depending on threat actors for delivering services after the victim pays them by non-refundable means.

Slowing Down the Rapid 2.0 Ransomware's Collection of Ransoms

While malware experts are rating the Rapid 2.0 Ransomware as mostly operational in status, its threat actors are omitting any code obfuscation or packing methods that would conceal the Trojan's identity and encryption routine. Therefore, more work is anticipated on the Rapid 2.0 Ransomware before it begins deploying itself in significant numbers. In the past, the Rapid 2.0 Ransomware's family has used different infection methods, as per its 'client' threat actors' preferences, including IRS-themed spam e-mail. Victims should monitor e-mail messages for attachments that could include hostile content, such as macros.

A free decryption service for the Rapid 2.0 Ransomware doesn't, and may never exist. Users without backups always take the risk of having their files blocked by non-consensual encryption methods that Trojans like the Rapid 2.0 Ransomware can implement in seconds, without any warning signs. Malware experts also warn that many threat actors are targeting Russian-based systems, despite the Rapid 2.0 Ransomware's configuration for avoiding the residents of that nation. Having a backup and keeping anti-malware programs for deleting the Rapid 2.0 Ransomware preemptively are the best forms of protection.

The beginning stage of the Rapid 2.0 Ransomware's roll-out tells malware experts a little more about how its RaaS business operates, but that details may not mean much to those whose documents and other media it damages. Russians may not need to worry about the Rapid 2.0 Ransomware, but there are other file-locking Trojans interested in sabotaging their data, in its place.

Update 3.0

The Rapid 3.0 Ransomware is a variant of the Rapid Ransomware, which has been active for just a few days and has already managed to find victims in a dozen countries around the globe. The threat does not future any major code improvements compared to previously released variants, but the attackers appear to use a new TOR-based payment portal found at 'http://vgon3ggilr4vu32q.onion.' The people behind the Rapid 3.0 Ransomware are using spam e-mails to find victims. Their propagation method works by sending fraudulent messages from spoofed e-mail addresses so that the message would seem as if it was sent by a reputable company. Usually, the messages contain either a corrupted attachment or a download link, which points the victim to the unsafe payload of the Rapid 3.0 Ransomware.

If the Rapid 3.0 Ransomware is executed on a PC without sufficient protection, the threat will need just a few minutes to complete its attack. This file-encryption Trojan targets a broad range of file formats including but not limited to documents, images, archives, backups, videos and audio recordings. The Rapid 3.0 Ransomware's attack also will wipe the Shadow Volume Copies, therefore making it very unlikely that the victims will be able to recover any of their files via 3rd-party file restoration utilities. The ransom note does not reveal much since its purpose is to refer the victim to a TOR-based payment page where victims can find out more about their recovery options. The attackers ask for a fixed ransom amount of 0.07 BTC and have provided a contact form, which victims can use to submit the Bitcoin transaction ID, their e-mails, and the extension used to mark the encrypted files. In addition to this, the Rapid 3.0 Ransomware's authors have listed the address demonslay335@rape.lol as an alternate contact method.

Although the price of 0.07 BTC (about $600) might seem reasonable, we advise victims not to send any money to these people since the chance of being tricked is too high. The recommended way to deal with undecryptable ransomware is to use a trustworthy anti-virus tool to dispose of the threatening software and prevent it from causing any more damage. Sadly, this will not undo the damage caused to the files. However, we advise victims of the threat to save all locked data since its decryption might become possible in the future.

Technical Details

Additional Information

The following URL's were detected:

anyfinder.xyz