Rapid Ransomware - How to remove

Rapid ransomware is an extremely dangerous virus actively spreading in Europe and the US right now. As it is reported, this virus was launched in January 2018 and has been infecting thousands of users since then, most of them in Europe. It is a typical and unique ransomware infection at the same time – it features some attributes that are typical for this kind of infection and at the same time there are some qualities that are rather weird.

As of now, 2018 August, there are 4 variants in total of Rapid ransomware. They are not much different technically but have separate encrypted file extensions, crypto-emails, and ransom notes. Unfortunately, there is still no official decryptor for any of the mentioned ransomware versions, yet 2-viruse.com team prepared a simple guide (which you will find at the end of this article) on how to remove and potentially restore your locked files.

What is special about Rapid ransomware

Typically, if you get hit with a ransomware infection, it scans your computer for files that are stored on your hard drive and then encrypts them, so you can no longer use any of them. Then, it demands the ransom to be paid in order to receive decryption key and get your files back. In this case, the Rapid virus will stay active even after the original first encryption and all new files that you create or download to your computer will be encrypted on the go. That means you just have to remove this virus from your computer if you want to continue using your computer without having to reinstall the operating system or actually pay the ransom.

However, even when some cyber specialists claim that making a payment for hackers is the only option to get your files back, according to the Kaspersky research 1 out of 3 victims are actually choosing this option, but 20% of them are not getting their decryption code as hackers promise in their ransom note. This is why sending Bitcoins to Rapid ransomware creators would be like a gamble, not knowing whether you not only lost your files but spend thousands of dollars as well. For more statistical facts on ransomware visit Comparitech.com.

Rapid Ransomware remove

Now, let’s talk about the specifics of the infection itself. As usual, ransomware viruses encrypt files by adding some sort of extension to the end of them. In this case, Rapid ransomware will add “.rapid” extension. So if you had a file name “photo.jpg”, after the encryption it will look like “photo.jpg.rapid” and from that moment you won’t be able to open it. Next thing – after the encryption, a file named “”! How Decrypt Files.txt”‘ will be placed on your desktop. It contains this message:

All your files have been encrypted by us
If you want restore files write on e-mail – [email protected]

As you can see, any further details (the amount of ransom or how you should pay it) are not provided. Instead of that, you are encouraged to contact cybercriminals at [email protected] In fact, there are more email addresses associated with this virus, so they can vary. We suggest not to do that – paying the ransom or even contacting those crooks is almost always a bad idea. As we have mentioned before, encryption performed by Rapid ransomware is an ongoing process and it will constantly scan your computer for new files, so it is very important to remove the virus itself as soon as possible.

How does the Rapid ransomware spread

The first Rapid ransomware was caught traveling via spam emails campaign called ‘Please Note – IRS Urgent Message-164’ that looked like a message sent by the Internal Revenue Service. In these emails, malicious files of the virus were added as an attachment. Hackers try to trick users into thinking that they have received some important letter and they should open the attachment to see further details. So lesson number one – never open emails from spam category, especially files attached to them if you want to stay away from ransomware. Moreover, take a look at the Ultimate Protection against Ransomware Guide.

Rapid ransomware versions

Name Release date Extension Contact email Ransom note


[email protected],
[email protected],
[email protected], [email protected]
How Recovery Files.txt,
!!! txt the README,
How Recovery File.txt
Rapid 2.0 March, 2018 .[8 random numbers] [email protected]
[email protected]
DECRYPT.[5 random numbers].txt
Rapid 3.0 May,
[email protected] How Recovery Files.txt
!!! txt the README
RPD June, 2018 .RPD [email protected] How Recovery File.txt
Rapid V1 Aug,
.no_more_ransom [email protected]  

Rapid 2.0 ransomware

The second version that was released after 2 months of the original Rapid ransomware, which has all the same qualities and features. The only difference is the extension that consists of 8 different digits and ransom note whose name is made out of 5 random digits. Another interesting characteristic is that Rapid 2.0 was noticed excluding Russia from the targeted countries, which later led the researchers belive that Rapid virus was originating from that region.

Rapid 3.0 ransomware

Rapid 3.0 is the update of the previous two Rapid ransomware viruses, noticed roaming around the net in May, 2018. This version was most prevalent in the US and the western European countries like Spain and France. The encrypting algorithm stays the same (AES), but the ransom amount was really significant – 0.7 BTC (around 5000USD). The new locked file string name was added to this version – .EZYMN. Lastly, the new crypto-email ([email protected]) was a used as a ridicule for a known MalwareHunterTeam malware researcher, known as @demonslay335 on Twitter, because he has helped a lot of people to decrypt their files with his decryptors and etc.

RPD ransomware

The fourth variant, which has no significant characteristics. Still spreads via malicious email attachments, uses AES cipher to lock files, adds .RPD string to inaccessible files, drops ransom note ‘How Recovery File.txt’ and asks to be contacted to [email protected] email for further directions to restored locked data. Ransom amount is different for each user, but decryption key is most likely not sent after the payment.

Rapid V1 ransomware

Rapid V1 is the latest variant of the Rapid virus. It uses the same old AES cipher to encrypt personal data and appends .no_more_ransom extension to all the affected files. What is more, it spreads in a typical-to-the-ransomware method – malspam and can be discovered manually at the running processes section as ‘rapid.exe’ task. Overall, compared to the other versions, there are no significant updates, except for the changed hacker’s email. The ransom note says:

Hello, dear friend!
All your files have been ENCRYPTED
Do you really want to restore your files?
Write to our email – [email protected]
and tell us your unique ID

More technical details at VirusTotal scan results.

How to remove Rapid ransomware and recover locked files

Arguably, the best way to remove the virus like Rapid ransomware and its variants is to scan your computer with anti-malware program and let it do the job. If you don’t have one yet or the one you have failed to detect and remove Rapid ransomware, we highly recommend to try Spyhunter for this task. Either one of these programs should easily detect and remove all files associated to Rapid. It will also make sure that your computer will never be infected with malware again, so just keep it installed.

Automatic Malware removal tools

Download Spyhunter for Malware detection

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

Unfortunately, files that have been already encrypted might be lost forever. This virus runs special commands that delete shadow copies of your files, so unless you have a backup image stored on an external drive or cloud, you might not be able to perform a system restore. As for now, the decryptor for this specific virus is not available yet, according to the Nomoreransom.org project. However, we encourage to keep the locked files stored in your PC, until the security professionals will come up with the special decryptor.

How to recover Rapid Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Rapid virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Rapid 2.0 ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Rapid 3.0 ransomware. You can check other tools here.  

Step 3. Restore RPD ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Rapid V1 ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Rapid Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Manual removal

Removal guides in other languages

Leave a Reply

Your email address will not be published. Required fields are marked *