Rapid RaaS

Rapid RaaS is an infection that, our researchers believe, might be still in development. This infection, without a doubt, comes from the same family of malware as Rapid Ransomware, RPD Ransomware, and Rapid 2.0 Ransomware, but the “RaaS” part in the name suggests that the newest variant is meant to work as ransomware-as-a-service. What does that mean? That means that the infection might be offered as a platform to build infections based on an existing code. The creators of Rapid Ransomware have proven that the infection can be successful, and so now they might be willing to offer its code for a price to anyone willing to pay. This is bad news because if tens or hundreds of different malicious actors build their own versions of this infection, we could have a wave of new and powerful file-encryptors. Hopefully, that does not happen, but if you need a refresher on what kind of malware this is, you should continue reading. We also provide a guide that might help remove Rapid RaaS infections.

There are several known versions of Rapid Ransomware, and that might be an indication of how unique different variants of Rapid RaaS could be. We first encountered Rapid Ransomware, and it already had two unique variants. Both had differences and unique traits. For example, both added “.rapid” as an extension to the files they encrypted. When it came to encryption, both versions corrupted files in all folders except for %PROGRAMFILES%, %PROGRAMFILES(x86)%, and %WINDIR%. Unfortunately, this left the most vulnerable personal passwords exposed. If the victims of this malware did not delete it right away, it would continuously encrypt files even after the initial attack. Also, it was discovered that the threat could encrypt extension-less files. In both cases, Rapid Rapid RaaS variants were found spreading via spam. This further proves that opening spam emails is never a good idea. Instead of opening them, you should remove them. One version of the infection was also found to be capable of deleting shadow volume copies using the “/c vssadmin.exe Delete Shadows /All /Quiet” command, which hindered file recovery from local backup. The infection also created a copy of itself to ensure successful attack even if the original launcher was removed.

While different components could be used to aid Rapid RaaS, all file-encryptors are created with the purpose of making victims pay money. Since they cannot push anyone to give money without a reason, they use decryptors, decryption keys, and tools with other names that, allegedly, can restore files as bait. To introduce victims to the demands, the creators of Rapid RaaS infections can use special files to deliver messages. The two different versions of Rapid Ransomware used “How Decrypt Files.txt” and “How Recovery Files.txt” files to inform victims that they could restore files only if they emailed rapid@rape.lol and rapid@airmail.cc. Rapid 2.0 Ransomware used the “DECRYPT.[unique code].txt” to introduce victims to supp1decr@cock.li and supp2decr@cock.li email addresses. Although these notes did not mention ransom payments, information regarding this was sent to users who communicated with cyber criminals. Communicating with them could be dangerous because they could send malware and expose to scams. Paying the ransom is not recommended because ransomware creators are not known for offering decryptors in return for ransom payments. It is just a scam to get the money.

It is imperative to focus on the removal of Rapid RaaS infections if they strike. Although you might take the risk of paying a ransom to obtain a decryptor first, you need to act as quickly as possible. Whether or not your files are decrypted – and the latter is unlikely to happen – you need to delete Rapid RaaS ASAP. Since different variants of this malware might exist, it is strongly recommended that you install anti-malware software to automatically find and delete all malicious elements. If you decide to remove this malware yourself, you need to be cautious about launchers with unique and random names. Also, it is strongly recommended that you employ free malware scanners to help you check if or not you have removed all malicious components. If you need any kind of help with ransomware and removal processes, do not hesitate to leave a comment below. Our malware experts will address your questions and issues as soon as possible.

N.B. To keep your system protected, you should use the full-time protection provided by anti-malware software. To keep your files protected, you should back them up using cloud or external drives.

Rapid RaaS Removal

1. Launch Task Manager (tap Ctrl+Alt+Delete and select).
2. Click the Processes tab and look for unfamiliar processes.
3. Right-click and choose Open file location.
4. If you find malicious files, terminate processes and then Delete the files.
5. Delete all recently downloaded suspicious files.
6. Launch Explorer by tapping Win+E keys and enter %APPDATA% at the top.
7. Look for ransomware-related .exe and .txt files. If you find them, Delete them.
8. Delete ransom note files, such as How Decrypt Files.txt or How Recovery Files.txt.
9. Once all malicious files are eliminated, Empty Recycle Bin.
10. Perform a full system scan using a legitimate malware scanner to check for leftovers.