ALERT: New "Rapid" Ransomware Variant Released!
  

Sangfor Elsa Posted 25 Oct 2018 15:53

Last edited by Sangfor Elsa 25 Oct 2018 15:56.

Recently, Sangfor security team received feedbacks from enterprise customers that their networks have been infected by a ransomware virus. Sangfor immediately took the necessary steps to acquire and analyze the virus sample. Analysis shows that it is a variant of “Rapid” ransomware family that uses RSA and AES algorithms to encrypt most of the files, appends suffix .no_more_ransom to those encrypted files and demands ransom.

Rapid ransomware virus broke out once in 2017, encrypting files and appending suffix .rapid originally. This variant was discovered in China for the first time and is now expanding to other Asian countries. We suspect that the ransomware family becomes active again. At the time of writing, there is no known ways to decrypt encrypted files.

Virus Analysis
The process of Rapid ransomware is info.exe.

1.png

The executable file is stored in the directory AppData\Roaming.

2.png

Attack Stages
3.png
Before encryption, the ransomware will examine the locale settings on computers. If the computer has locale setting set to Russian (0x419) then the encryption will not be launched on that computer. After that, it will delete shadow copies of files.

Additionally, what makes Rapid different from other ransomware is that it creates two scheduled tasks to be able to execute at system startup and scheduled time. That is to say, this ransomware achieves persistence on the infected host while other ransomware will not stay after encryption.

4.png

The ransomware virus copies itself to the AppData\Roaming directory.

5.png

End OA
msftesql.exe sqlagent.exe sqlbrowser.exe  sqlservr.exe
sqlwriter.exe oracle.exe ocssd.exe  dbsnmp.exe
synctime.exe mydesktopqos.exe agntsvc.exe
isqlplussvc.exe  xfssvccon.exe mydesktopservice.exe
ocautoupds.exe  agntsvc.exe agntsvc.exe agntsvc.exe
encsvc.exe firefoxconfig.exe tbirdconfig.exe  ocomm.exe
mysqld.exe mysqld-nt.exe mysqld-opt.exe dbeng50.exe
sqbcoreservice.exe  excel.exe infopath.exe msaccess.exe
mspub.exe onenote.exe outlook.exe powerpnt.exe
steam.exe thebat.exe thebat64.exe thunderbird.exe
visio.exe winword.exe wordpad.exe taskmgr.exe

Kill anti-virus software
AVP.EXE ekrn.exe avgnt.exe ashDisp.exe
NortonAntiBot.exe Mcshield.exe avengine.exe cmdagent.exe
smc.exe persfw.exe pccpfw.exe fsguiexe.exe cfp.exe
msmpeng.exe

It adds itself to registry to be able to encrypt files at system startup.

6.png

Initialize public & private key

7.png

The public key and private key are stored in HKCU\Software\EncryptKeys.

8.png

Start encrypting

9.png

It then appends encrypted files with .no_more_ransom extension

10.png

When encryption completes, ransom note displays as follows:

11.png

Solution
At the time of writing, there is no decryption tool for those victims. You may quarantine infected hosts and disconnect them from network. We recommend you to perform virus scan and protection as soon as possible.

Detection and Removal
1. Sangfor offers customers and users a free anti-malware software to scan for and remove the ransomware virus. Simply download it from http://go.sangfor.com/anti-bot-tool-20181024
2. Sangfor NGAF is capable of detecting and removing this ransomware virus.

Anti-virus
1. Fix the vulnerability in time by installing the corresponding patch on the host.
2. Back up critical data files regularly to other hosts or storage devices.
3. Do not click on any email attachment from unknown sources and do not download any software from untrusted websites
4. Disable unnecessary file sharing.
5. Change and strengthen your computer password and do not use the same passwords for different computers to avoid compromising a series of computers.
6. Rapid ransomware infected software may make use of RDP (Remote Desktop Protocol). Please disable RDP if it is unnecessary for your business. If C&C communication appears again, use Sangfor NGAF to block port 3389 and other ports to stop ransomware from spreading.
7. Sangfor NGAF can prevent brute-force attacks. Turn on brute-force attack prevention on NGAF and enable Rule 11080051, 11080027 and 11080016.
8. For Sangfor NGAF customers, upgrade your Sangfor NGAF software to version NGAF 8.0.5 and enable Sangfor AI engine Zero to gain the optimal prevention capabilities.

Lastly, we recommend that enterprise customers perform security scan and virus removal on the whole network, enhance network security, with Sangfor NGAF to detect, prevent and protect the internal network.

Consultancy and Services
Contact us by any of the following means to gain consultancy and support service for free:
1. Call us at +60 12711 7129 (7511)
2. Visit Sangfor Community (http://community.sangfor.com) and talk to our Virtual Agent.

Like this topic? Like it or reward the author.

Creating a topic earns you 5 coins. A featured or excellent topic earns you more coins. What is Coin?

Enter your mobile phone number and company name for better service. Go

Alisson Zelli Posted 08 Jan 2019 04:16
  
Oh my God! I had all my personal files, including all photos and videos of the family. Is there any tool to decrypt files of this new variant of Rapid RS? Thanks!
arvin Lv2Posted 21 Jan 2020 12:29
  
Is Sangfor already able to recover or is it limited to just spreading?
Faisal P Lv8Posted 18 Oct 2022 11:23
  
Thank you for your information ...

Trending Topics

Board Leaders