SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rapid_ransom (Back to overview)

Rapid Ransom


InfinityGroup notes that Rapid Ransomware, unlike regular Ransomware, stays active on the computer after initially encrypting the systems and also encrypts any new files that are created. It does this by creating auto-runs that are designed to launch the ransomware and display the ransom note every time the infected system is started.

References
2020-02-28Financial Security InstituteFinancial Security Institute
@online{institute:20200228:profiling:ebaa39b, author = {Financial Security Institute}, title = {{Profiling of TA505 Threat Group That Continues to Attack the Financial Sector}}, date = {2020-02-28}, organization = {Financial Security Institute}, url = {https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do}, language = {English}, urldate = {2020-02-28} } Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2019-07-24IBM X-Force ExchangeJohn Kuhn
@online{kuhn:20190724:guesswho:1b23cb0, author = {John Kuhn}, title = {{GuessWho Ransomware – A Variant of Rapid Ransomware}}, date = {2019-07-24}, organization = {IBM X-Force Exchange}, url = {https://exchange.xforce.ibmcloud.com/collection/GuessWho-Ransomware-A-Variant-of-Rapid-Ransomware-ef226b9792fa4c1e34fa4c587db04145}, language = {English}, urldate = {2020-01-10} } GuessWho Ransomware – A Variant of Rapid Ransomware
Rapid Ransom
2018-05-19Twitter (@malwrhunterteam)malwrhunterteam
@online{malwrhunterteam:20180519:rapid:b25afd8, author = {malwrhunterteam}, title = {{Tweet on Rapid 2 ransomware}}, date = {2018-05-19}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/997748495888076800}, language = {English}, urldate = {2020-01-06} } Tweet on Rapid 2 ransomware
Rapid Ransom
2018-03-23Twitter (MalwareHunterTeam)MalwareHunterTeam
@online{malwarehunterteam:20180323:rapid:31feb13, author = {MalwareHunterTeam}, title = {{Tweet on Rapid Ransomware 2.0}}, date = {2018-03-23}, organization = {Twitter (MalwareHunterTeam)}, url = {https://twitter.com/malwrhunterteam/status/977275481765613569}, language = {English}, urldate = {2019-12-10} } Tweet on Rapid Ransomware 2.0
Rapid Ransom
Yara Rules
[TLP:WHITE] win_rapid_ransom_auto (20230715 | Detects win.rapid_ransom.)
rule win_rapid_ransom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.rapid_ransom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_ransom"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 6801000004 6800a40000 ff75f8 ff15???????? }
            // n = 5, score = 300
            //   50                   | push                eax
            //   6801000004           | push                0x4000001
            //   6800a40000           | push                0xa400
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   ff15????????         |                     

        $sequence_1 = { 83c728 663bde 72c2 5f 5e 33c0 }
            // n = 6, score = 200
            //   83c728               | add                 edi, 0x28
            //   663bde               | cmp                 bx, si
            //   72c2                 | jb                  0xffffffc4
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   33c0                 | xor                 eax, eax

        $sequence_2 = { c60000 8d4001 49 75f7 6a00 }
            // n = 5, score = 200
            //   c60000               | mov                 byte ptr [eax], 0
            //   8d4001               | lea                 eax, [eax + 1]
            //   49                   | dec                 ecx
            //   75f7                 | jne                 0xfffffff9
            //   6a00                 | push                0

        $sequence_3 = { 6a6a 8d87ea010000 8d8e00020000 50 51 894de4 }
            // n = 6, score = 200
            //   6a6a                 | push                0x6a
            //   8d87ea010000         | lea                 eax, [edi + 0x1ea]
            //   8d8e00020000         | lea                 ecx, [esi + 0x200]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx

        $sequence_4 = { 57 6a01 e8???????? 83c410 84c0 0f94c0 }
            // n = 6, score = 200
            //   57                   | push                edi
            //   6a01                 | push                1
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   84c0                 | test                al, al
            //   0f94c0               | sete                al

        $sequence_5 = { 8b12 6a00 e8???????? 83c410 }
            // n = 4, score = 200
            //   8b12                 | mov                 edx, dword ptr [edx]
            //   6a00                 | push                0
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_6 = { ff5514 8b4c2448 83c410 8a44240e 84c0 752f }
            // n = 6, score = 200
            //   ff5514               | call                dword ptr [ebp + 0x14]
            //   8b4c2448             | mov                 ecx, dword ptr [esp + 0x48]
            //   83c410               | add                 esp, 0x10
            //   8a44240e             | mov                 al, byte ptr [esp + 0xe]
            //   84c0                 | test                al, al
            //   752f                 | jne                 0x31

        $sequence_7 = { 57 8b3d???????? 6a00 6a06 6a00 ff75fc }
            // n = 6, score = 200
            //   57                   | push                edi
            //   8b3d????????         |                     
            //   6a00                 | push                0
            //   6a06                 | push                6
            //   6a00                 | push                0
            //   ff75fc               | push                dword ptr [ebp - 4]

        $sequence_8 = { 894de4 399850c54100 0f84f3000000 41 83c030 894de4 }
            // n = 6, score = 100
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   399850c54100         | cmp                 dword ptr [eax + 0x41c550], ebx
            //   0f84f3000000         | je                  0xf9
            //   41                   | inc                 ecx
            //   83c030               | add                 eax, 0x30
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx

        $sequence_9 = { 8d45e8 c745cc00000000 50 0f57c0 57 660fd645e8 }
            // n = 6, score = 100
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   c745cc00000000       | mov                 dword ptr [ebp - 0x34], 0
            //   50                   | push                eax
            //   0f57c0               | xorps               xmm0, xmm0
            //   57                   | push                edi
            //   660fd645e8           | movq                qword ptr [ebp - 0x18], xmm0

        $sequence_10 = { c1f906 6bc038 03048de8d04100 50 }
            // n = 4, score = 100
            //   c1f906               | sar                 ecx, 6
            //   6bc038               | imul                eax, eax, 0x38
            //   03048de8d04100       | add                 eax, dword ptr [ecx*4 + 0x41d0e8]
            //   50                   | push                eax

        $sequence_11 = { 56 e8???????? 83c40c c745d01000a000 0f57c0 660fd645e8 }
            // n = 6, score = 100
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   c745d01000a000       | mov                 dword ptr [ebp - 0x30], 0xa00010
            //   0f57c0               | xorps               xmm0, xmm0
            //   660fd645e8           | movq                qword ptr [ebp - 0x18], xmm0

        $sequence_12 = { 8934b8 8bc7 83e03f 6bc838 8b0495e8d04100 8b440818 83f8ff }
            // n = 7, score = 100
            //   8934b8               | mov                 dword ptr [eax + edi*4], esi
            //   8bc7                 | mov                 eax, edi
            //   83e03f               | and                 eax, 0x3f
            //   6bc838               | imul                ecx, eax, 0x38
            //   8b0495e8d04100       | mov                 eax, dword ptr [edx*4 + 0x41d0e8]
            //   8b440818             | mov                 eax, dword ptr [eax + ecx + 0x18]
            //   83f8ff               | cmp                 eax, -1

        $sequence_13 = { 50 8975ec e8???????? 8bf8 83c408 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   8975ec               | mov                 dword ptr [ebp - 0x14], esi
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   83c408               | add                 esp, 8

        $sequence_14 = { 57 33ff 85f6 0f8e86000000 8bcb 8bd1 }
            // n = 6, score = 100
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   85f6                 | test                esi, esi
            //   0f8e86000000         | jle                 0x8c
            //   8bcb                 | mov                 ecx, ebx
            //   8bd1                 | mov                 edx, ecx

    condition:
        7 of them and filesize < 286720
}
Download all Yara Rules