Rapid Ransomware Being Spread Using Fake IRS Malspam
A new variant of Rapid Ransomware is currently being distributed using malspam that pretends to be from the Internal Revenue Service. First detected by Derek Knight, this campaign is a mixup of countries with the IRS being a U.S. entity, the send being a UK email address, and the spam attachment being in German. This malspam campaign is being sent with emails subjects like "Please Note - IRS Urgent Message-164" and state that the recipient is behind in real estate taxes. It then goes on to tell the recipient to open the attachment to see a compiled report on how much is owed
Rapid Ransomware Malspam
Attached to the email is a zip file called Notification-[number].zip. Inside these zip files is a malicious word document, where a victim needs to click on Enable Editing followed by Enable Content in order for the macros to run. When the macro runs, it will download the Rapid Ransomware executable and execute it.
Malicious Word Document
Like the previous variant, Rapid Ransomware will scan a computer for data files and encrypt them. When encrypting a file it will append the .rapid extension to the encrypted file's name. For example, a file called test.jpg would be encrypted and renamed to test.jpg.rapid.
Encrypted Rapid Files
When Rapid Ransomware has finished encrypting a computer it will open numerous recovery.txt ransom notes in Notepad. These ransom notes tell the victim to contact firstname.lastname@example.org or email@example.com in order to receive payment instructions.
Rapid Ransomware Ransom Note
Unlike many other ransomware infections, this ransomware will configure itself to start every time you login to the computer from the %UserProfile%\AppData\Roaming\info.exe folder. The autorun for this entry is HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ "Encrypter_074 " = "%UserProfile%\AppData\Roaming\info.exe".
By setting itself to start on login, it allows the ransomware to encrypt news files as they are made. Therefore it is important to terminate the info.exe process associated with the Rapid Ransomware and then rename the file to something like rapid.exe.dis so it does not start again. Unfortunately, at this time there is no way to decrypt Rapid Ransomware encrypted files for free. For those who wish to receive help with disabling this ransomware or have other questions, you can ask in our dedicated Rapid Ransomware Help & Support topic
Original Author: Lawrence Abrams
Original Date: Feb 12 2018