Rapid Ransomware - How to remove

Rapid ransomware is an extremely dangerous virus actively spreading in Europe and the US right now. As it is reported, this virus was launched in January 2018 and has been infecting thousands of users since then, most of them in Europe. It is a typical and unique ransomware infection at the same time – it features some attributes that are typical for this kind of infection and at the same time there are some qualities that are rather weird.

As of 2018 August, there are 4 variants of Rapid ransomware. They are not technically very different, but they have separate encrypted file extensions, crypto-emails, and ransom notes.

Unfortunately, there is still no official decryptor for any of the mentioned ransomware versions. The 2-viruses.com team prepared a simple guide (which you will find at the end of this article) on how to remove and potentially restore your locked files.

What is special about Rapid ransomware?

It locks all newly added files

Typically, if you get hit with a ransomware infection, it scans your computer for files that are stored on your hard drive and then encrypts them, so you can no longer use any of them. Then, it demands the ransom to be paid if you want to get the decryption key and get your files back.

In the case of Rapid, this virus will stay active even after the original encryption. All the new files that you create or download on your computer will be encrypted in real time. That means you must remove this virus from your computer if you want to use your PC and avoid having to reinstall the operating system.

Rapid encrypts files and changes their names

Now, let’s talk about the specifics of the infection itself. As usual, the Rapid ransomware virus encrypts files to break their contents. Encrypted files can’t be opened – there’s usually an error message or the contents of the file look like noise.

Rapid also adds a new extension to the end of the name of each locked file: “.rapid”.

Say you had a file named “photo.jpg”: after Rapid’s encryption, the file is called “photo.jpg.rapid” (if your Windows shows file extensions) and its icon is a blank page.

Next thing – after the encryption, a file named “! How Decrypt Files.txt”‘ is placed on your desktop. It contains this message:

Hello!
All your files have been encrypted by us
If you want restore files write on e-mail – [email protected]

As you can see, any further details (the amount of ransom or how you should pay it) are not provided. Instead of that, you are encouraged to contact the cybercriminals at [email protected]. There are more email addresses associated with this virus.

Paying the ransom or even contacting those crooks is almost always a bad idea. For one, if you reveal any private information to the criminals behind Rapid, they could abuse it in future attacks.

How does the Rapid ransomware spread?

The first variant of Rapid ransomware was caught traveling via spam emails. The campaign was called ‘Please Note – IRS Urgent Message-164’ and the messages looked like they were sent by the Internal Revenue Service. In these emails, malicious files of the virus were added as an attachment. Hackers tried to trick users into thinking that they received an important letter and they should open the attachment to see further details.

Phishing emails (emails that impersonate a trusted person or company) are often used to spread malware, scams, and other harmful content. Never open emails from the spam category, be careful of unexpected emails that have files attached to them. Moreover, take a look at the Ultimate Protection against Ransomware Guide.

Rapid ransomware versions

Name	Release date	Extension	Contact email	Ransom note
Rapid (Original)	Jan, 2018	.Rapid, .RPD, .EZYMN .paymeme	[email protected], [email protected], [email protected], [email protected].	How Recovery Files.txt, !!! txt the README, How Recovery File.txt
Rapid 2.0	March, 2018	.[8 random numbers]	[email protected] [email protected]	DECRYPT.[5 random numbers].txt
Rapid 3.0	May, 2018	.Rapid .EZYMN	[email protected]	How Recovery Files.txt !!! txt the README
RPD	June, 2018	.RPD	[email protected]	How Recovery File.txt
Rapid V1	Aug, 2018	.no_more_ransom	[email protected]

Rapid 2.0 ransomware

The second version of Rapid was released after 2 months of the original Rapid ransomware. It has all the same qualities and features. The only difference is the extension that consists of 8 different digits and a ransom note whose name is made out of 5 random digits. Another interesting characteristic is that Rapid 2.0 was noticed excluding Russia from the targeted countries, which later led researchers to believe that the Rapid virus was originating from that region.

Rapid 3.0 ransomware

Rapid 3.0 is an update of the previous two Rapid ransomware viruses. It was noticed roaming around the net in May 2018. This version was most prevalent in the US and the western European countries like Spain and France. The encrypting algorithm stayed the same (AES), but the ransom amount was really significant – 0.7 BTC (around 5000USD at the time). A new locked file string name was added to this version – .EZYMN. Lastly, the new crypto-email ([email protected]) was used to attack a known and brilliant MalwareHunterTeam malware researcher known as @demonslay335 on Twitter because he has helped a lot of people to decrypt files locked by ransomware.

RPD ransomware

The fourth variant has no significant characteristics. Still spreads via malicious email attachments, uses AES cipher to lock files, adds the .RPD string to the names of locked files, drops a ransom note ‘How Recovery File.txt’ and asks to be contacted via the [email protected] email address for further directions to restore locked data. The ransom payament is different for each user, but the decryption key is most likely not sent after the payment.

Rapid V1 ransomware

Rapid V1 is the latest variant of the Rapid virus. It uses the same old AES cipher to encrypt personal data and appends the .no_more_ransom extension to all the affected files. What is more, it spreads in a typical-to-the-ransomware method – malspam and can be discovered manually at the running processes section as a ‘rapid.exe’ task. Overall, compared to the other versions, there are no significant updates, except for the changed hacker’s email. The ransom note says:

Hello, dear friend!
All your files have been ENCRYPTED
Do you really want to restore your files?
Write to our email – [email protected]
and tell us your unique ID

More technical details here: VirusTotal scan results.

How to remove Rapid ransomware and recover locked files

Don’t pay the ransom

We suggest not paying the ransom. Even though there is no free decryptor for Rapid ransomware, Kaspersky researchers say that though 1 out of 3 victims pays, 20% never get their files fixed as hackers promised in their ransom notes. For more statistical facts on ransomware visit Comparitech.com.

Paying the ransom is always a gamble, you could lose your files as well as thousands of dollars.

Another reason to not pay the ransom is that Rapid is old – it’s not guaranteed that the attackers are still active. New instances of Rapid ransomware show up here and there (Virustotal.com), but that can happen even when the ransomware isn’t being actively distributed.

Unfortunately, the files that Rapid encrypted might be lost forever. This virus runs special commands that delete shadow copies, so unless you have a backup stored on an external drive or cloud, you might not be able to restore your data. As for now, the decryptor for this specific virus is not available yet, according to Nomoreransom.org.

However, we encourage you to keep the locked files stored on your PC. There are a few options to receiver lost files, some listed at the bottom of this page and a few more in our post on recovering data after a ransomware attack.

How to delete Rapid ransomware

Arguably, the best way to remove a virus such as Rapid ransomware is to scan your computer with an anti-malware program and let it do its job. If you don’t have one yet, or the one you have failed to detect and remove Rapid ransomware, we highly recommend trying Spyhunter for this task. It should easily detect and remove all files associated with Rapid. It will also make sure that your computer will never be infected with malware again, so just keep it installed.

Automatic Malware removal tools

How to recover Rapid Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Rapid virus has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Rapid 2.0 ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Rapid 3.0 ransomware. You can check other tools here.  

Step 3. Restore RPD ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Rapid V1 ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Rapid Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Manual removal