{"id":2910,"date":"2024-09-25T20:25:34","date_gmt":"2024-09-25T20:25:34","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2910"},"modified":"2025-07-29T06:45:22","modified_gmt":"2025-07-29T06:45:22","slug":"rapid-ransomware-stumbles-at-the-first-hurdle","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/rapid-ransomware-stumbles-at-the-first-hurdle\/","title":{"rendered":"Rapid Ransomware stumbles at the first hurdle"},"content":{"rendered":"
\n
\"rafting_river_adventure\"<\/figure>\n<\/div>\n\n\n

Overview<\/strong>

The latest malware to cross our desks is the alliterated Rapid Ransomware \u2013 a strain that seemingly rolls off the tongue easier than it rolls into computers. From its earliest days, anti-virus vendors were successful in identifying the strain based on heuristic rules.  

As yet, little is known about the strain\u2019s distribution method, but analysis on the sample itself uncovers some interesting characteristics. 

Sample Details<\/ins>

File Hash (SHA-256): cdd7cde605f034698b9f6502e71154c250143b98dc677fecb18f1d376e0617c2

File Size: 886272 bytes

PE type: EXE

Static Analysis<\/strong>

Before disassembling the sample, our researchers collected the static properties such as compiler used, creation details, and the sample\u2019s blacklisted APIs:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 1 Compiled by VC++<\/em>

Timestamp details show us the malware was created on December 29 last year, but it is still being seen in the wild more than a month later.

It was first uploaded to VirusTotal on New Year\u2019s Eve, and while it was initially flagged by AV tools on heuristic rules, it is now detected specifically as \u2018Rapid Ransomware\u2019.

Below, we outline the sample\u2019s blacklisted APIs which also identifies its anti-debug functionalities. As well as the common APIs we\u2019d expect to see in a ransomware sample such as GetLogicDrive, CryptEncrypt, CryptImportKey, CryptExportKey, CryptSetKeyParam, CryptDestroyKey, CryptGenKey, and CryptAcquireContextA, we also see:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 2 Usage of Blacklisted API and Anti-debug API<\/em>

Static analysis also uncovered a number of interesting strings, listed below:<\/p>\n\n\n\n

.text:0xABACE        ! How Decrypt Files.txt
.text:0xABC48        \\info.exe
.rdata:0xAC41B        Software\\Microsoft\\Windows\\CurrentVersion\\Run
.rdata:0xACA95        RegOpenKeyEx
.rdata:0xACB76        RegQueryValueEx
.rdata:0xACB89        RegCloseKey
.rdata:0xAD7CE        f:\\dd\\vctools\\crt\\vcruntime\\src\\eh\\std_type_info.cpp
.rdata:0xAD91D        f:\\dd\\vctools\\crt\\vcruntime\\src\\internal\\per_thread_data.cpp
.rdata:0xAF99F        minkernel\\crts\\ucrt\\src\\appcrt\\misc\\dbgrpt.cpp
.rdata:0xAFAEF        minkernel\\crts\\ucrt\\src\\appcrt\\stdio\\_file.cpp
.rdata:0xB810B        minkernel\\crts\\ucrt\\inc\\corecrt_internal_stdio_output.h
.rdata:0xBCD28        Client hook allocation failure.
.rdata:0xBDE93        Object dump complete.
.rdata:0xBE2CB        minkernel\\crts\\ucrt\\src\\appcrt\\startup\\argv_parsing.cpp
.rdata:0xBE308        minkernel\\crts\\ucrt\\src\\desktopcrt\\env\\environment_initialization.cpp
.rdata:0xBE4DE        minkernel\\crts\\ucrt\\src\\appcrt\\startup\\onexit.cpp
.rdata:0xBF0B7        minkernel\\crts\\ucrt\\src\\appcrt\\locale\\wsetlocale.cpp
.rdata:0xBF22D        minkernel\\crts\\ucrt\\src\\appcrt\\internal\\per_thread_data.cpp
.rdata:0xC2237        minkernel\\crts\\ucrt\\src\\appcrt\\misc\\signal.cpp<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

In the below snapshot, we can see the ransomware adds the extension \u2018.rapid\u2019 to encrypted files, the file drop location is %appdata%, as well as the contact email address for file restore.
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 3 Interesting strings<\/em>

Having analysed the string details and blacklisted API usage, we next disassembled the sample to study its characteristics:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 4 File ‘info.exe’ and queries logical drive info<\/em>

The query \u2018GetLogicalDrives()\u2019 collects information for the logical drives that can be found in the victim system. It does so by retrieving an integer as bitmask value.\u00a0

For example, if the function returns a value of \u20184\u2019, then its equivalent binary is 100 \u2013 this could mean either C, B, or A (though A and B are not present) so the only available drive is C.\u00a0

Below we see the functions responsible for replacing file extensions with \u2018.rapid\u2019:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 5 ‘.Rapid’ file extension<\/em><\/p>\n\n\n\n

As mentioned in the blacklisted API, we found the \u2018cryptencrypt\u2019 function in the disassembled code which is used to encrypt the data. Its associated function, \u2018Cryptgenkey\u2019, generates a cryptographic session key. The below snapshot shows the \u2018cryptencrypt\u2019 function in use:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\u00a0Figure 6 CryptEncrypt ()<\/em><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\u00a0Figure 7 Run Registry entry<\/em><\/p>\n\n\n\n

For maintaining persistence, the malware uses the above run registry entry, while info.exe is dropped in the %appdata% location. With the value of the registry entry as \u2018Encrypter\u2019, this gives the appearance that the registry entry belongs to a legitimate application, rather than a malicious one.<\/p>\n\n\n\n

Contents of how to decrypt files:<\/p>\n\n\n\n

Hello!
All your files have been encrypted by us If you want restore files write on e-mail \u2013 rapid(at)rape(.)lol<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Threat Indicators\/IOC Details<\/strong>

File Hash (SHA-256): 

\u2022    cdd7cde605f034698b9f6502e71154c250143b98dc677fecb18f1d376e0617c2

Dropped Files: 

\u2022    info.exe (under %appdata% location)

\u2022    \u2018! How Decrypt Files.txt\u2019

E-mail: 

\u2022    rapid(at)rape(.)lol

Registry entry: 

\u2022    Run entry created with the value as \u201cEncrypter\u201d.

File extension: 

\u2022    .Rapid

Conclusion<\/strong>

The above IOC details can help security professionals detect this ransomware.  

Standard computer hygiene practices like regular backups and exercising caution when dealing with emails and attachments from unknown senders are the best defence against most ransomware attacks.

In this case, as most AV vendors detected this ransomware with heuristic rules from the day it appeared on the internet, updated anti-virus with latest definition should protect most users.<\/p>\n","protected":false},"excerpt":{"rendered":"

Overview The latest malware to cross our desks is the alliterated Rapid Ransomware – a strain that seemingly rolls off the tongue easier than it rolls into computers. From its earliest days, anti-virus vendors were successful in identifying the strain based on heuristic rules.   As yet, little is known about the strain’s distribution method, […]<\/p>\n","protected":false},"author":1,"featured_media":2918,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2910","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2910","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2910"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2910\/revisions"}],"predecessor-version":[{"id":4340,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2910\/revisions\/4340"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2918"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2910"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2910"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2910"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}