SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rapid_ransom (Back to overview)

Rapid Ransom

VTCollection    

InfinityGroup notes that Rapid Ransomware, unlike regular Ransomware, stays active on the computer after initially encrypting the systems and also encrypts any new files that are created. It does this by creating auto-runs that are designed to launch the ransomware and display the ransom note every time the infected system is started.

References
2020-02-28Financial Security InstituteFinancial Security Institute
Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet
2020-02-25RSA ConferenceJoel DeCapua
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2019-07-24IBM X-Force ExchangeJohn Kuhn
GuessWho Ransomware – A Variant of Rapid Ransomware
Rapid Ransom
2018-05-19Twitter (@malwrhunterteam)malwrhunterteam
Tweet on Rapid 2 ransomware
Rapid Ransom
2018-03-23Twitter (MalwareHunterTeam)MalwareHunterTeam
Tweet on Rapid Ransomware 2.0
Rapid Ransom
Yara Rules
[TLP:WHITE] win_rapid_ransom_auto (20260504 | Detects win.rapid_ransom.)
rule win_rapid_ransom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.rapid_ransom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_ransom"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 6801000004 6800a40000 ff75f8 }
            // n = 4, score = 300
            //   50                   | push                eax
            //   6801000004           | push                0x4000001
            //   6800a40000           | push                0xa400
            //   ff75f8               | push                dword ptr [ebp - 8]

        $sequence_1 = { 57 663901 7561 8b713c 03f1 813e50450000 }
            // n = 6, score = 200
            //   57                   | push                edi
            //   663901               | cmp                 word ptr [ecx], ax
            //   7561                 | jne                 0x63
            //   8b713c               | mov                 esi, dword ptr [ecx + 0x3c]
            //   03f1                 | add                 esi, ecx
            //   813e50450000         | cmp                 dword ptr [esi], 0x4550

        $sequence_2 = { ff15???????? 8bd8 895c2434 85db 7509 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   895c2434             | mov                 dword ptr [esp + 0x34], ebx
            //   85db                 | test                ebx, ebx
            //   7509                 | jne                 0xb

        $sequence_3 = { 6a00 68a7000000 6a01 e8???????? }
            // n = 4, score = 200
            //   6a00                 | push                0
            //   68a7000000           | push                0xa7
            //   6a01                 | push                1
            //   e8????????           |                     

        $sequence_4 = { ff15???????? 56 8ad8 ff15???????? 56 ff15???????? 5f }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   56                   | push                esi
            //   8ad8                 | mov                 bl, al
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ff15????????         |                     
            //   5f                   | pop                 edi

        $sequence_5 = { 803e00 7509 803a00 0f840c010000 8d742464 b8???????? }
            // n = 6, score = 200
            //   803e00               | cmp                 byte ptr [esi], 0
            //   7509                 | jne                 0xb
            //   803a00               | cmp                 byte ptr [edx], 0
            //   0f840c010000         | je                  0x112
            //   8d742464             | lea                 esi, [esp + 0x64]
            //   b8????????           |                     

        $sequence_6 = { 55 8bec 83e4f8 81ec6c010000 53 56 57 }
            // n = 7, score = 200
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83e4f8               | and                 esp, 0xfffffff8
            //   81ec6c010000         | sub                 esp, 0x16c
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_7 = { 8bd0 8bce e8???????? 8b0d???????? 8b75ec 50 }
            // n = 6, score = 200
            //   8bd0                 | mov                 edx, eax
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8b0d????????         |                     
            //   8b75ec               | mov                 esi, dword ptr [ebp - 0x14]
            //   50                   | push                eax

        $sequence_8 = { e8???????? c70021000000 eb44 c745e002000000 c745e494824100 8b4508 8bcf }
            // n = 7, score = 100
            //   e8????????           |                     
            //   c70021000000         | mov                 dword ptr [eax], 0x21
            //   eb44                 | jmp                 0x46
            //   c745e002000000       | mov                 dword ptr [ebp - 0x20], 2
            //   c745e494824100       | mov                 dword ptr [ebp - 0x1c], 0x418294
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8bcf                 | mov                 ecx, edi

        $sequence_9 = { 81784820c14100 7409 ff7048 e8???????? 59 c70701000000 }
            // n = 6, score = 100
            //   81784820c14100       | cmp                 dword ptr [eax + 0x48], 0x41c120
            //   7409                 | je                  0xb
            //   ff7048               | push                dword ptr [eax + 0x48]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   c70701000000         | mov                 dword ptr [edi], 1

        $sequence_10 = { 8b4514 40 c745ecf54e4000 894df8 }
            // n = 4, score = 100
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   40                   | inc                 eax
            //   c745ecf54e4000       | mov                 dword ptr [ebp - 0x14], 0x404ef5
            //   894df8               | mov                 dword ptr [ebp - 8], ecx

        $sequence_11 = { 56 57 6804010000 8d85f8feffff 8bfa }
            // n = 5, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   6804010000           | push                0x104
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   8bfa                 | mov                 edi, edx

        $sequence_12 = { ffd6 85c0 753b 8b542410 b9???????? e8???????? }
            // n = 6, score = 100
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   753b                 | jne                 0x3d
            //   8b542410             | mov                 edx, dword ptr [esp + 0x10]
            //   b9????????           |                     
            //   e8????????           |                     

        $sequence_13 = { 8bcb 8b55ec 68???????? 893d???????? e8???????? 83c404 84c0 }
            // n = 7, score = 100
            //   8bcb                 | mov                 ecx, ebx
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   68????????           |                     
            //   893d????????         |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   84c0                 | test                al, al

        $sequence_14 = { 8b75ec 8ac4 8b7de4 c0e102 c0eb04 }
            // n = 5, score = 100
            //   8b75ec               | mov                 esi, dword ptr [ebp - 0x14]
            //   8ac4                 | mov                 al, ah
            //   8b7de4               | mov                 edi, dword ptr [ebp - 0x1c]
            //   c0e102               | shl                 cl, 2
            //   c0eb04               | shr                 bl, 4

    condition:
        7 of them and filesize < 286720
}
Download all Yara Rules