Welcome to penetration testing channel...

Rapid Ransomware Continues Encrypting New Files as they Are Created:

A new ransomware is being spread called Rapid Ransomware that stays active after initially encrypting a computer and encrypts any new files that are created. While this behavior is not unique to Rapid, it is not a common behavior we see too often.

While it is not known how the Rapid Ransomware is being distributed, it has been infecting numerous people starting in January. According to statistics from ID-Ransomware, the first submitted case was on January 3rd and since then there have been over 300 submissions. This is probably a small portion of the total victims, are there many who most likely did not utilize ID-Ransomware to identify the infection.

How Rapid Ransomware encrypts a computer:

When the ransomware runs, it will clear the Windows shadow volume copies, terminate database processes, and disables automatic repair. The processes that are terminated are sql.exe, sqlite.exe, and oracle.com and the commands that are executed are.

Once these commands are executed, the ransomware will scan the computer for files to encrypt. When a file is encrypted it will have the .rapid extension appended to the encrypted file's name.

When the ransomware has finished encrypting a computer it will create ransom notes named How Recovery Files.txt in various folders including the Windows desktop. This ransom note will contain an email that the victim should contact to receive payment instructions.

This infection will also create autoruns that launch the ransomware on startup and display the ransom note. Information about these autoruns can be found in the IOCs below.

At this time, the Rapid Ransomware cannot be decrypted for free and it is unknown if the attackers provide the decryption key if a payment has been made. For those who have been infected, we have a Rapid Ransomware Support & Help topic where victims can discuss the infection and receive support.

What to do if you are infected with Rapid Ransomware
As Rapid Ransomware continues to run and monitor for new files to encrypt after a computer is initially encrypted, it is important to shut it down as soon as possible. Once a victim detects that they have been infected with Rapid Ransomware, they should immediately open up the Windows task manager and terminate the associated ransomware process.

If the computer has not been rebooted yet, then the running process may have any name. For example, our sample was named rapid.exe and you can see it running in the screenshot below. Actual victims will not have this file name running. If the computer has already been rebooted, the the ransomware process may be named info.exe.

Once you terminate the process, you start msconfig.exe and disable the autoruns. If you are unable to access the Windows task manager, you can reboot into Safe Mode with Networking and try from there.

How to protect yourself from the Rapid Ransomware
In order to protect yourself from ransomware, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.

You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections or heuristics. For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.

source: https://www.bleepingcomputer.com/news...

Facebook Page: https://www.facebook.com/kaliforensics

Pinterest: https://www.pinterest.com/penetration...

Instagram: https://www.instagram.com/penetration...

Google+: https://plus.google.com/b/10053333383...

Thanks For Watching....

Like Share & Subscribe.....