SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rapid_ransom (Back to overview)

Rapid Ransom


InfinityGroup notes that Rapid Ransomware, unlike regular Ransomware, stays active on the computer after initially encrypting the systems and also encrypts any new files that are created. It does this by creating auto-runs that are designed to launch the ransomware and display the ransom note every time the infected system is started.

References
2020-02-28Financial Security InstituteFinancial Security Institute
@online{institute:20200228:profiling:ebaa39b, author = {Financial Security Institute}, title = {{Profiling of TA505 Threat Group That Continues to Attack the Financial Sector}}, date = {2020-02-28}, organization = {Financial Security Institute}, url = {https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do}, language = {English}, urldate = {2020-02-28} } Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2019-07-24IBM X-Force ExchangeJohn Kuhn
@online{kuhn:20190724:guesswho:1b23cb0, author = {John Kuhn}, title = {{GuessWho Ransomware – A Variant of Rapid Ransomware}}, date = {2019-07-24}, organization = {IBM X-Force Exchange}, url = {https://exchange.xforce.ibmcloud.com/collection/GuessWho-Ransomware-A-Variant-of-Rapid-Ransomware-ef226b9792fa4c1e34fa4c587db04145}, language = {English}, urldate = {2020-01-10} } GuessWho Ransomware – A Variant of Rapid Ransomware
Rapid Ransom
2018-05-19Twitter (@malwrhunterteam)malwrhunterteam
@online{malwrhunterteam:20180519:rapid:b25afd8, author = {malwrhunterteam}, title = {{Tweet on Rapid 2 ransomware}}, date = {2018-05-19}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/997748495888076800}, language = {English}, urldate = {2020-01-06} } Tweet on Rapid 2 ransomware
Rapid Ransom
2018-03-23Twitter (MalwareHunterTeam)MalwareHunterTeam
@online{malwarehunterteam:20180323:rapid:31feb13, author = {MalwareHunterTeam}, title = {{Tweet on Rapid Ransomware 2.0}}, date = {2018-03-23}, organization = {Twitter (MalwareHunterTeam)}, url = {https://twitter.com/malwrhunterteam/status/977275481765613569}, language = {English}, urldate = {2019-12-10} } Tweet on Rapid Ransomware 2.0
Rapid Ransom
Yara Rules
[TLP:WHITE] win_rapid_ransom_auto (20221125 | Detects win.rapid_ransom.)
rule win_rapid_ransom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.rapid_ransom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_ransom"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 6801000004 6800a40000 ff75f8 }
            // n = 4, score = 300
            //   50                   | push                eax
            //   6801000004           | push                0x4000001
            //   6800a40000           | push                0xa400
            //   ff75f8               | push                dword ptr [ebp - 8]

        $sequence_1 = { 897c243c e8???????? 83c410 84c0 0f94c1 }
            // n = 5, score = 200
            //   897c243c             | mov                 dword ptr [esp + 0x3c], edi
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   84c0                 | test                al, al
            //   0f94c1               | sete                cl

        $sequence_2 = { ff75fc 51 6801000040 ff750c 53 }
            // n = 5, score = 200
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   51                   | push                ecx
            //   6801000040           | push                0x40000001
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   53                   | push                ebx

        $sequence_3 = { 32c0 8844240f 33c0 c644240e00 }
            // n = 4, score = 200
            //   32c0                 | xor                 al, al
            //   8844240f             | mov                 byte ptr [esp + 0xf], al
            //   33c0                 | xor                 eax, eax
            //   c644240e00           | mov                 byte ptr [esp + 0xe], 0

        $sequence_4 = { 8bf9 32db 8bf2 85ff 0f849c000000 85f6 0f8494000000 }
            // n = 7, score = 200
            //   8bf9                 | mov                 edi, ecx
            //   32db                 | xor                 bl, bl
            //   8bf2                 | mov                 esi, edx
            //   85ff                 | test                edi, edi
            //   0f849c000000         | je                  0xa2
            //   85f6                 | test                esi, esi
            //   0f8494000000         | je                  0x9a

        $sequence_5 = { 0f84dd000000 8b442420 8b5c2410 85442438 0f84cf000000 }
            // n = 5, score = 200
            //   0f84dd000000         | je                  0xe3
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   8b5c2410             | mov                 ebx, dword ptr [esp + 0x10]
            //   85442438             | test                dword ptr [esp + 0x38], eax
            //   0f84cf000000         | je                  0xd5

        $sequence_6 = { 7447 8d45f4 c745f494000000 50 57 }
            // n = 5, score = 200
            //   7447                 | je                  0x49
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   c745f494000000       | mov                 dword ptr [ebp - 0xc], 0x94
            //   50                   | push                eax
            //   57                   | push                edi

        $sequence_7 = { 8d442440 56 50 ff5514 8b4c2448 83c410 8a44240e }
            // n = 7, score = 200
            //   8d442440             | lea                 eax, [esp + 0x40]
            //   56                   | push                esi
            //   50                   | push                eax
            //   ff5514               | call                dword ptr [ebp + 0x14]
            //   8b4c2448             | mov                 ecx, dword ptr [esp + 0x48]
            //   83c410               | add                 esp, 0x10
            //   8a44240e             | mov                 al, byte ptr [esp + 0xe]

        $sequence_8 = { 83c9ff c7430c01000000 c7431000000000 eb2f 8b45f8 }
            // n = 5, score = 100
            //   83c9ff               | or                  ecx, 0xffffffff
            //   c7430c01000000       | mov                 dword ptr [ebx + 0xc], 1
            //   c7431000000000       | mov                 dword ptr [ebx + 0x10], 0
            //   eb2f                 | jmp                 0x31
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]

        $sequence_9 = { 0f57c0 57 660fd645e8 ffd6 }
            // n = 4, score = 100
            //   0f57c0               | xorps               xmm0, xmm0
            //   57                   | push                edi
            //   660fd645e8           | movq                qword ptr [ebp - 0x18], xmm0
            //   ffd6                 | call                esi

        $sequence_10 = { 68ff000000 53 6a01 50 68???????? }
            // n = 5, score = 100
            //   68ff000000           | push                0xff
            //   53                   | push                ebx
            //   6a01                 | push                1
            //   50                   | push                eax
            //   68????????           |                     

        $sequence_11 = { 8b55b4 8bd8 8b4dd4 e8???????? 8b4dd4 }
            // n = 5, score = 100
            //   8b55b4               | mov                 edx, dword ptr [ebp - 0x4c]
            //   8bd8                 | mov                 ebx, eax
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   e8????????           |                     
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]

        $sequence_12 = { 740b 46 81fe00010000 72a7 eb03 8975cc 8b75c4 }
            // n = 7, score = 100
            //   740b                 | je                  0xd
            //   46                   | inc                 esi
            //   81fe00010000         | cmp                 esi, 0x100
            //   72a7                 | jb                  0xffffffa9
            //   eb03                 | jmp                 5
            //   8975cc               | mov                 dword ptr [ebp - 0x34], esi
            //   8b75c4               | mov                 esi, dword ptr [ebp - 0x3c]

        $sequence_13 = { 6a01 6810660000 ff75ec ff15???????? 85c0 0f8430040000 }
            // n = 6, score = 100
            //   6a01                 | push                1
            //   6810660000           | push                0x6610
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f8430040000         | je                  0x436

        $sequence_14 = { c745d000000000 33f6 3803 7407 40 803c0300 75f9 }
            // n = 7, score = 100
            //   c745d000000000       | mov                 dword ptr [ebp - 0x30], 0
            //   33f6                 | xor                 esi, esi
            //   3803                 | cmp                 byte ptr [ebx], al
            //   7407                 | je                  9
            //   40                   | inc                 eax
            //   803c0300             | cmp                 byte ptr [ebx + eax], 0
            //   75f9                 | jne                 0xfffffffb

    condition:
        7 of them and filesize < 286720
}
Download all Yara Rules