Free Trial Request
Request a Demo

Look Out for Rapid Ransomware

March 14th 2018
Phishing Employees

Look Out for Rapid Ransomware

A new ransomware is being spread, aptly named “Rapid” Ransomware, which mostly leverages a social engineering attack vector using spam emails with malicious attachments. Rapid encrypted files are renamed with a .rapid extension. A ransom note is dropped in a form of a text file which instructs the victim to email the attacker to restore the encrypted files. Interestingly, neither the amount nor type of ransom is mentioned in the note. After encryption the initial encryption process Rapid remains active, and it continues to encrypt new files upon creation.

We have observed an uptick of Rapid Ransomware infections since the end of January 2018.

Persistence

Rapid ransomware makes itself persistent and survives system reboot by the creation of a start-up entry for the ‘info.exe’ executable dropped into %AppData% folder. It also adds the path to the ransom note “recovery.txt” to the Autorun key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

‘Encrypter’ = ‘C:\Users\IEUser\AppData\Roaming\info.exe’

‘userinfo’ = ‘C:\Users\IEUser\AppData\Roaming\recovery.txt’

Key generation

    1. First, the Rapid variant will import the encoded master public 2048-bit RSA key into the Windows System Registry.The encoded master RSA public key:

      BgIAAACkAABSU0ExAAgAAAEAAQDBNYSU/7brRLUlbo6j0STSFkp3Tf7SIQW1gYyzlWtTSDtgdEAGnTq RNlzbPipl7pbGAZ5vdqOpek+5lIU589lvJZ36aLNBwqFRuigw14tA08Hy2R9zZwUnk1v5JRhOMddAPog x0yIVCOdxJDl4CVyuV4RPWHT1XamwUY+0uwwNvaDHOKviWfKXmK6HIxSiCunwvC2lBOJmXD1OOI 0tjLFAc7/hO02GqigI6EerM98febzovQQ0VsWRu4CoJ1kbcMecyPA/HQoWYg92O0orjh+t4tKesHw0e1 qiunxrsMaPGizHpUIWpGKR1Pe+ioXD/qL/pRbMrpYEvWmAdSc/tCLP

    2. If a ‘local_public_key’ entry does not already exist in the System Registry, Rapid will generate an exportable 1024bit RSA key.

    3. Then, it exports the generated local RSA key pair.
    4. After exporting local RSA key pair, it then encrypts the PRIVATEKEYBLOB with the master public RSA key.
    5. The encrypted local RSA key pair is stored in the registry as: “local_enc_private_key”.
    6. Rapid will then export the public portion of the local RSA key pair, storing it in EncryptKeys\local_public_key

    7. Rapid then retrieves the local RSA public key from the System Registry as needed for its future operations.

Anti-Debugger Behavior

While inspecting this variant of Rapid (executable info.exe), we observed that Rapid tries to evade debugging. It checks for debugger execution mode by calling a “IsDebuggerPresent” function. An exception is thrown in the case of an active debugger, which halts the current process, and “CryptEncrypt” function, responsible for encrypting system data, is never invoked.

File encryption

Before encryption, Rapid invokes ‘taskkill.exe’ to terminate the following processes to ensure any database files are unlocked:

      • sql.exe
      • sqlite.exe
      • Oracle.exe

While indexing files to encrypt, Rapid excludes the following files from the encryption list:

      • How Recovery Files.txt
      • recovery.txt
      • Info.exe

To make the encryption process faster, Rapid spawns multiple threads to encrypt the files found on fixed, removable, and network drives both separately and simultaneously.

Rapid generates a unique 256bit AES Key for every file. Rapid uses the AES crypto algorithm to encrypt the files, and the Rapid exports it.

The exported AES file key is then encrypted using the local RSA public key.

Finally, the Rapid variant encrypts files with corresponding exported AES key and writes encrypted bytes back to the original file. After encryption, it adds a footer to the end of the file that includes:

[original file size][encrypted AES key][encrypted local RSA key pair]

Backup/Recovery Thwarting (Occurs prior to Encryption)

Rapid ransomware executes the following commands to remove shadow copies of files and to disable Windows recovery.

vssadmin.exe Delete Shadow /All /Quiet

cmd.exe /C bcdedit /set {default} recoveryenabled No

cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures

Once Windows’built-in file recovery mechanisms are disabled, Rapid will scan for files to encrypt, and begin the encryption process as described above. After files are encrypted, they will have the .rapid extension appended the original file name as shown in the figure below.

Ransom Note

When the ransomware has finished the initial encryption process, it drops a text file “How Recovery Files.txt” in each folder containing encrypted files.

The file contains the simple message shown here: