SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rapid_ransom (Back to overview)

Rapid Ransom

InfinityGroup notes that Rapid Ransomware, unlike regular Ransomware, stays active on the computer after initially encrypting the systems and also encrypts any new files that are created. It does this by creating auto-runs that are designed to launch the ransomware and display the ransom note every time the infected system is started.

References
2020-02-28Financial Security InstituteFinancial Security Institute
@online{institute:20200228:profiling:ebaa39b, author = {Financial Security Institute}, title = {{Profiling of TA505 Threat Group That Continues to Attack the Financial Sector}}, date = {2020-02-28}, organization = {Financial Security Institute}, url = {https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do}, language = {English}, urldate = {2020-02-28} } Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2019-07-24IBM X-Force ExchangeJohn Kuhn
@online{kuhn:20190724:guesswho:1b23cb0, author = {John Kuhn}, title = {{GuessWho Ransomware – A Variant of Rapid Ransomware}}, date = {2019-07-24}, organization = {IBM X-Force Exchange}, url = {https://exchange.xforce.ibmcloud.com/collection/GuessWho-Ransomware-A-Variant-of-Rapid-Ransomware-ef226b9792fa4c1e34fa4c587db04145}, language = {English}, urldate = {2020-01-10} } GuessWho Ransomware – A Variant of Rapid Ransomware
Rapid Ransom
2018-05-19Twitter (@malwrhunterteam)malwrhunterteam
@online{malwrhunterteam:20180519:rapid:b25afd8, author = {malwrhunterteam}, title = {{Tweet on Rapid 2 ransomware}}, date = {2018-05-19}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/997748495888076800}, language = {English}, urldate = {2020-01-06} } Tweet on Rapid 2 ransomware
Rapid Ransom
2018-03-23Twitter (MalwareHunterTeam)MalwareHunterTeam
@online{malwarehunterteam:20180323:rapid:31feb13, author = {MalwareHunterTeam}, title = {{Tweet on Rapid Ransomware 2.0}}, date = {2018-03-23}, organization = {Twitter (MalwareHunterTeam)}, url = {https://twitter.com/malwrhunterteam/status/977275481765613569}, language = {English}, urldate = {2019-12-10} } Tweet on Rapid Ransomware 2.0
Rapid Ransom
Yara Rules
[TLP:WHITE] win_rapid_ransom_auto (20230125 | Detects win.rapid_ransom.)
rule win_rapid_ransom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.rapid_ransom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_ransom"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6801000004 6800a40000 ff75f8 ff15???????? }
            // n = 4, score = 300
            //   6801000004           | push                0x4000001
            //   6800a40000           | push                0xa400
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   ff15????????         |                     

        $sequence_1 = { 6a04 83c00a 6800300000 03c6 50 6a00 }
            // n = 6, score = 200
            //   6a04                 | push                4
            //   83c00a               | add                 eax, 0xa
            //   6800300000           | push                0x3000
            //   03c6                 | add                 eax, esi
            //   50                   | push                eax
            //   6a00                 | push                0

        $sequence_2 = { 0f8419010000 68400000f0 6a01 6a00 6a00 8d45f8 }
            // n = 6, score = 200
            //   0f8419010000         | je                  0x11f
            //   68400000f0           | push                0xf0000040
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8d45f8               | lea                 eax, [ebp - 8]

        $sequence_3 = { ff7510 c644241701 57 6a01 e8???????? 83c410 }
            // n = 6, score = 200
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   c644241701           | mov                 byte ptr [esp + 0x17], 1
            //   57                   | push                edi
            //   6a01                 | push                1
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_4 = { 51 6801000040 ff750c 53 ff15???????? 85c0 }
            // n = 6, score = 200
            //   51                   | push                ecx
            //   6801000040           | push                0x40000001
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_5 = { ff15???????? ff742414 53 ff15???????? }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   ff742414             | push                dword ptr [esp + 0x14]
            //   53                   | push                ebx
            //   ff15????????         |                     

        $sequence_6 = { 8b442418 85c0 743c 8b442414 ba???????? }
            // n = 5, score = 200
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   85c0                 | test                eax, eax
            //   743c                 | je                  0x3e
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   ba????????           |                     

        $sequence_7 = { 8974243c e8???????? 83c410 5f 5e 5b 8be5 }
            // n = 7, score = 200
            //   8974243c             | mov                 dword ptr [esp + 0x3c], esi
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp

        $sequence_8 = { 0f8454010000 83fe20 7d07 33c0 e9???????? 6a20 e8???????? }
            // n = 7, score = 100
            //   0f8454010000         | je                  0x15a
            //   83fe20               | cmp                 esi, 0x20
            //   7d07                 | jge                 9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   6a20                 | push                0x20
            //   e8????????           |                     

        $sequence_9 = { 3330 3338 334033 48 }
            // n = 4, score = 100
            //   3330                 | xor                 esi, dword ptr [eax]
            //   3338                 | xor                 edi, dword ptr [eax]
            //   334033               | xor                 eax, dword ptr [eax + 0x33]
            //   48                   | dec                 eax

        $sequence_10 = { 57 ff15???????? 6a00 8d45d4 50 6a20 56 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   8d45d4               | lea                 eax, [ebp - 0x2c]
            //   50                   | push                eax
            //   6a20                 | push                0x20
            //   56                   | push                esi

        $sequence_11 = { 0f114010 eb05 33c0 8945e8 57 33ff }
            // n = 6, score = 100
            //   0f114010             | movups              xmmword ptr [eax + 0x10], xmm0
            //   eb05                 | jmp                 7
            //   33c0                 | xor                 eax, eax
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi

        $sequence_12 = { 0f8400010000 8d5941 c74424253a5c5c00 6804010000 885c2428 }
            // n = 5, score = 100
            //   0f8400010000         | je                  0x106
            //   8d5941               | lea                 ebx, [ecx + 0x41]
            //   c74424253a5c5c00     | mov                 dword ptr [esp + 0x25], 0x5c5c3a
            //   6804010000           | push                0x104
            //   885c2428             | mov                 byte ptr [esp + 0x28], bl

        $sequence_13 = { 83c408 84db 0f95c0 5f }
            // n = 4, score = 100
            //   83c408               | add                 esp, 8
            //   84db                 | test                bl, bl
            //   0f95c0               | setne               al
            //   5f                   | pop                 edi

        $sequence_14 = { ff15???????? 57 ff15???????? 33c9 33f6 380b }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   57                   | push                edi
            //   ff15????????         |                     
            //   33c9                 | xor                 ecx, ecx
            //   33f6                 | xor                 esi, esi
            //   380b                 | cmp                 byte ptr [ebx], cl

    condition:
        7 of them and filesize < 286720
}
Download all Yara Rules