FANDOM


Rapid is a ransomware that stays active after initially encrypting a computer and encrypts any new files that are created.

Payload

When Rapid runs, it will clear the Windows shadow volume copies, terminate database processes, and disables automatic repair. The processes that are terminated are sql.exe, sqlite.exe, and oracle.com and the commands that are executed are:

vssadmin.exe Delete Shadow /All /Quiet
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures

Once these commands are executed, the ransomware will scan the computer for files to encrypt. When a file is encrypted it will have the .rapid extension appended to the encrypted file's name.

When the ransomware has finished encrypting a computer it will create ransom notes named How Recovery Files.txt in various folders including the Windows desktop. This ransom note will contain an email that the victim should contact to receive payment instructions.

The ransom note says the following:

Hello!
All your files have been encrypted by us
If you want restore files write on e-mail - frenkmoddy@tuta.io

This infection will also create autoruns that launch the ransomware on startup and display the ransom note.

Community content is available under CC-BY-SA unless otherwise noted.