SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rapid_ransom (Back to overview)

Rapid Ransom

VTCollection    

InfinityGroup notes that Rapid Ransomware, unlike regular Ransomware, stays active on the computer after initially encrypting the systems and also encrypts any new files that are created. It does this by creating auto-runs that are designed to launch the ransomware and display the ransom note every time the infected system is started.

References
2020-02-28Financial Security InstituteFinancial Security Institute
Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet
2020-02-25RSA ConferenceJoel DeCapua
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2019-07-24IBM X-Force ExchangeJohn Kuhn
GuessWho Ransomware – A Variant of Rapid Ransomware
Rapid Ransom
2018-05-19Twitter (@malwrhunterteam)malwrhunterteam
Tweet on Rapid 2 ransomware
Rapid Ransom
2018-03-23Twitter (MalwareHunterTeam)MalwareHunterTeam
Tweet on Rapid Ransomware 2.0
Rapid Ransom
Yara Rules
[TLP:WHITE] win_rapid_ransom_auto (20230808 | Detects win.rapid_ransom.)
rule win_rapid_ransom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.rapid_ransom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_ransom"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 6801000004 6800a40000 ff75f8 }
            // n = 4, score = 300
            //   50                   | push                eax
            //   6801000004           | push                0x4000001
            //   6800a40000           | push                0xa400
            //   ff75f8               | push                dword ptr [ebp - 8]

        $sequence_1 = { 83ec10 53 56 57 8bf9 32db 8bf2 }
            // n = 7, score = 200
            //   83ec10               | sub                 esp, 0x10
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bf9                 | mov                 edi, ecx
            //   32db                 | xor                 bl, bl
            //   8bf2                 | mov                 esi, edx

        $sequence_2 = { 83ec1c 53 57 8bf9 8bc2 }
            // n = 5, score = 200
            //   83ec1c               | sub                 esp, 0x1c
            //   53                   | push                ebx
            //   57                   | push                edi
            //   8bf9                 | mov                 edi, ecx
            //   8bc2                 | mov                 eax, edx

        $sequence_3 = { ff15???????? 6a00 ff75f8 ff15???????? 5e 5f 8ac3 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   ff15????????         |                     
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   8ac3                 | mov                 al, bl

        $sequence_4 = { 7509 803a00 0f840c010000 8d742464 b8???????? 84db }
            // n = 6, score = 200
            //   7509                 | jne                 0xb
            //   803a00               | cmp                 byte ptr [edx], 0
            //   0f840c010000         | je                  0x112
            //   8d742464             | lea                 esi, [esp + 0x64]
            //   b8????????           |                     
            //   84db                 | test                bl, bl

        $sequence_5 = { 56 8bf2 8975fc 57 8bf9 85db }
            // n = 6, score = 200
            //   56                   | push                esi
            //   8bf2                 | mov                 esi, edx
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   57                   | push                edi
            //   8bf9                 | mov                 edi, ecx
            //   85db                 | test                ebx, ebx

        $sequence_6 = { e8???????? 83c430 8d45f4 6800010000 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   83c430               | add                 esp, 0x30
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   6800010000           | push                0x100

        $sequence_7 = { 7425 ff7514 8b542418 8bce ff7510 c644241701 57 }
            // n = 7, score = 200
            //   7425                 | je                  0x27
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   8b542418             | mov                 edx, dword ptr [esp + 0x18]
            //   8bce                 | mov                 ecx, esi
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   c644241701           | mov                 byte ptr [esp + 0x17], 1
            //   57                   | push                edi

        $sequence_8 = { 0f8483000000 eb7d 8b1c9df8584100 6800080000 }
            // n = 4, score = 100
            //   0f8483000000         | je                  0x89
            //   eb7d                 | jmp                 0x7f
            //   8b1c9df8584100       | mov                 ebx, dword ptr [ebx*4 + 0x4158f8]
            //   6800080000           | push                0x800

        $sequence_9 = { 740e 50 e8???????? 83a6e8d0410000 59 83c604 }
            // n = 6, score = 100
            //   740e                 | je                  0x10
            //   50                   | push                eax
            //   e8????????           |                     
            //   83a6e8d0410000       | and                 dword ptr [esi + 0x41d0e8], 0
            //   59                   | pop                 ecx
            //   83c604               | add                 esi, 4

        $sequence_10 = { 8be5 5d c3 ff75e0 e8???????? 53 e8???????? }
            // n = 7, score = 100
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   ff75e0               | push                dword ptr [ebp - 0x20]
            //   e8????????           |                     
            //   53                   | push                ebx
            //   e8????????           |                     

        $sequence_11 = { eb72 8d04cd00000000 2bc1 46 8935???????? c6048564d3410001 893c856cd34100 }
            // n = 7, score = 100
            //   eb72                 | jmp                 0x74
            //   8d04cd00000000       | lea                 eax, [ecx*8]
            //   2bc1                 | sub                 eax, ecx
            //   46                   | inc                 esi
            //   8935????????         |                     
            //   c6048564d3410001     | mov                 byte ptr [eax*4 + 0x41d364], 1
            //   893c856cd34100       | mov                 dword ptr [eax*4 + 0x41d36c], edi

        $sequence_12 = { 6804010000 8d85a4feffff 8bf1 6a00 50 }
            // n = 5, score = 100
            //   6804010000           | push                0x104
            //   8d85a4feffff         | lea                 eax, [ebp - 0x15c]
            //   8bf1                 | mov                 esi, ecx
            //   6a00                 | push                0
            //   50                   | push                eax

        $sequence_13 = { 40 c745ecf54e4000 894df8 8945fc 64a100000000 8945e8 }
            // n = 6, score = 100
            //   40                   | inc                 eax
            //   c745ecf54e4000       | mov                 dword ptr [ebp - 0x14], 0x404ef5
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   64a100000000         | mov                 eax, dword ptr fs:[0]
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax

        $sequence_14 = { 83c9ff c7430c01000000 c7431000000000 eb2f }
            // n = 4, score = 100
            //   83c9ff               | or                  ecx, 0xffffffff
            //   c7430c01000000       | mov                 dword ptr [ebx + 0xc], 1
            //   c7431000000000       | mov                 dword ptr [ebx + 0x10], 0
            //   eb2f                 | jmp                 0x31

    condition:
        7 of them and filesize < 286720
}
Download all Yara Rules