- Distribution Method : Unknown
- MD5 : 959ea90fe7969312e0735ef0e7afcb85
- Major Detection Name : Ransom:Win32/Rapid.A!MTB (Microsoft), Ransom_Rapid.R004C0DFH19 (Trend Micro)
- Encrypted File Pattern : <Random Filename>.guesswho
- Malicious File Creation Location :
- C:\temp\wupdate.exe
- C:\Users\%UserName%\AppData\Roaming\info.exe
- C:\Users\%UserName%\AppData\Roaming\recovery.txt
- C:\Windows\System32\Tasks\Encrypter
- C:\Windows\System32\Tasks\EncrypterSt
- Payment Instruction File : How Recovery Files.txt / mail@rapid0.com.url / recovery.txt
- Major Characteristics :
- Offline Encryption
- Disable and Blocks Command Prompt (cmd.exe) and Task Manager (Taskmgr.exe)
- Delete Hyper-V and SQL services (sc delete "vmickvpexchange", sc delete "vmicshutdown", sc delete "vmicrdv", sc delete "MSSQLFDLauncher", sc delete "SQLSERVERAGENT", sc delete "SQLTELEMETRY" etc.)
- Block SQL processes execution (MsDtsSrvr.exe, msmdsrv.exe, sqlbrowser.exe, sqlceip.exe, sqlservr.exe, sqlwriter.exe etc.)
- Delete Anti-Virus services (sc delete "AVP18.0.0", sc delete "ekrn", sc delete "klim6", sc delete "TmFilter", sc delete "TMLWCSService", sc delete "WRSVC" etc.)
- Block Anti-Virus processes execution (AvastUI.exe, avp.exe, egui.exe, MsMpEng.exe, ntrtscan.exe, WRSA.exe)
- Disable system restore (wbadmin DELETE SYSTEMSTATEBACKUP, wmic SHADOWCOPY DELETE, vssadmin.exe Delete Shadows /All /Quiet, bcdedit.exe /set {default} recoveryenabled No, bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures)
- Adds Encrypter to scheduler to execute "%AppData%\info.exe" every minute
- Adds EncrypterSt to scheduler to execute "%AppData%\info.exe" at user login
- Displays ransom note (notepad.exe C:\Users\%UserName%\AppData\Roaming\recovery.txt) when user executes encrypted file (<Random Filename>.guesswho)
List