Rapid Ransomware (<Random Filename>.guesswho / mail@rapid2019.com.url) - Videos

Major Detection Name : Ransom.Rapid (Malwarebytes), Ransom:Win32/Rapid.A!MTB (Microsoft)

Malicious File Creation Location :
- C:\temp\wupdate.exe
- C:\Users\%UserName%\AppData\Roaming\info.exe
- C:\Users\%UserName%\AppData\Roaming\recovery.txt
- C:\Windows\System32\Tasks\Encrypter
- C:\Windows\System32\Tasks\EncrypterSt

Payment Instruction File : How Recovery Files.txt / mail@rapid2019.com.url / recovery.txt

Major Characteristics :
- Offline Encryption
- Disable and Blocks Command Prompt (cmd.exe) and Task Manager (Taskmgr.exe)
- Delete Hyper-V and SQL services (sc delete "vmickvpexchange", sc delete "vmicshutdown", sc delete "vmicrdv", sc delete "MSSQLFDLauncher", sc delete "SQLSERVERAGENT", sc delete "SQLTELEMETRY" etc.)
- Block SQL processes execution (MsDtsSrvr.exe, msmdsrv.exe, sqlbrowser.exe, sqlceip.exe, sqlservr.exe, sqlwriter.exe etc.)
- Delete Anti-Virus services (sc delete "AVP18.0.0", sc delete "ekrn", sc delete "klim6", sc delete "TmFilter", sc delete "TMLWCSService", sc delete "WRSVC" etc)
- Block Anti-Virus processes execution (AvastUI.exe, avp.exe, egui.exe, MsMpEng.exe, ntrtscan.exe, WRSA.exe)
- Disable system restore (wbadmin DELETE SYSTEMSTATEBACKUP, wmic SHADOWCOPY DELETE, vssadmin.exe Delete Shadows /All /Quiet, bcdedit.exe /set {default} recoveryenabled No, bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures)
- Adds Encrypter to scheduler to execute "%AppData%\info.exe" every minute
- Adds EncrypterSt to scheduler to execute "%AppData%\info.exe" at user login
- Displays ransom note (notepad.exe C:\Users\%UserName%\AppData\Roaming\recovery.txt) when user executes encrypted file (<Random Filename>.guesswho)