Filter Articles

Filter by Year:

Filter by Category







Sort Order

Refine Search

Rapid Ransomware Being Spread Using Fake IRS Malspam

02/20/2018

 

A new variant of Rapid Ransomware is currently being distributed using malspam that pretends to be from the Internal Revenue Service. First detected by Derek Knight, this campaign is a mixup of countries with the IRS being a U.S. entity, the send being a UK email address, and the spam attachment being in German. This malspam campaign is being sent with emails subjects like "Please Note - IRS Urgent Message-164" and state that the recipient is behind in real estate taxes. It then goes on to tell the recipient to open the attachment to see a compiled report on how much is owed

Rapid Ransomware Malspam

Attached to the email is a zip file called Notification-[number].zip. Inside these zip files is a malicious word document, where a victim needs to click on Enable Editing followed by Enable Content in order for the macros to run. When the macro runs, it will download the Rapid Ransomware executable and execute it.

Malicious Word Document

Like the previous variant, Rapid Ransomware will scan a computer for data files and encrypt them. When encrypting a file it will append the .rapid extension to the encrypted file's name. For example, a file called test.jpg would be encrypted and renamed to test.jpg.rapid.

Encrypted Rapid Files

When Rapid Ransomware has finished encrypting a computer it will open numerous recovery.txt ransom notes in Notepad.  These ransom notes tell the victim to contact decryptsupport@airmail.cc or supportlocker@firemail.cc  in order to receive payment instructions.

Rapid Ransomware Ransom Note

Unlike many other ransomware infections, this ransomware will configure itself to start every time you login to the computer from the %UserProfile%\AppData\Roaming\info.exe folder.  The autorun for this entry is HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ "Encrypter_074 " = "%UserProfile%\AppData\Roaming\info.exe".

By setting itself to start on login, it allows the ransomware to encrypt news files as they are made. Therefore it is important to terminate the info.exe process associated with the Rapid Ransomware and then rename the file to something like rapid.exe.dis so it does not start again. Unfortunately, at this time there is no way to decrypt Rapid Ransomware encrypted files for free. For those who wish to receive help with disabling this ransomware or have other questions, you can ask in our dedicated Rapid Ransomware Help & Support topic

Original Source: https://www.bleepingcomputer.com/news/security/rapid-ransomware-being-spread-using-fake-irs-malspam/.

Original Author: Lawrence Abrams

Original Date: Feb 12 2018



Recent Articles

Microsoft Achieves Positive Results with Experimental Underwater Datacenter
First Online-Only Whole Foods Launched by Amazon
Google Ad Grants: Who Does it Benefit and How Can You Qualify?
Google Chrome will Drastically Truncate URLs to Thwart Phishing
The Computer Mouse Co-Inventor, William English, Dies at 91
All Articles