Rapid Ransomware Continues Encrypting New Files as they Are Created

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
A new ransomware is being spread called Rapid Ransomware that stays active after initially encrypting a computer and encrypts any new files that are created. While this behavior is not unique to Rapid, it is not a common behavior we see too often.

While it is not known how the Rapid Ransomware is being distributed, it has been infecting numerous people starting in January. According to statistics from ID-Ransomware, the first submitted case was on January 3rd and since then there have been over 300 submissions. This is probably a small portion of the total victims, are there many who most likely did not utilize ID-Ransomware to identify the infection.

graph.jpg

Rapid Ransomware Submissions to ID-Ransomware
How Rapid Ransomware encrypts a computer
When the ransomware runs, it will clear the Windows shadow volume copies, terminate database processes, and disables automatic repair. The processes that are terminated are sql.exe, sqlite.exe, and oracle.com and the commands that are executed are:
..
.....
..
........
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Rapid cyberattacks

Rapid cyberattacks like Petya and WannaCrypt have reset our expectations on the speed and scope of damage that a cyberattack can inflict. The Microsoft Enterprise Cybersecurity Group Detection and Response team worked extensively to help customers respond to and recover from these kinds of attacks. In 2017, among the global enterprise customers that we worked with, these rapid cyberattacks took down most or all IT systems in just about one hour, resulting in $200M – 300M USD of damage at several customers.

Attackers assembled several existing techniques into a new form of attack that was both:
  • Fast – Took about an hour to spread throughout the enterprise
  • Disruptive – Created very significant business disruption at global enterprises
What is a rapid cyberattack?
Rapid cyberattacks are fast, automated, and disruptive—setting them apart from the targeted data theft attacks and various commodity attacks, including commodity ransomware, that security programs typically encounter:

Rapid-cyberattack-1024x371.png


Figure 1: Characteristics of rapid cyberattacks

  • Rapid and Automated – Much like the worms of decades past (remember Nimda? SQL Slammer?), these attacks happen very rapidly because self-propagation is fully automated once the malware is launched.
  • Disruptive – Rapid cyberattacks are designed to be disruptive to business and IT operations by encrypting data and rebooting systems.

Read more here

Overview of rapid cyberattacks
 

Mohan Rajan

Level 2
Verified
May 7, 2016
85
One should use a layered approach to security. in this case, you may use OSArmor from NVT to prevent ransomware from deleting shadow copies and other similar behavior.
In fact an issue was how to prevent backup images from imaging software from being deleted / corrupted by ransomware as I do a daily backup to my local disk and cannot be removing and reconnecting the drive containing the backup.
This issue has been resolved by the latest version of Macrium Reflect v7.1 which prevents anyone or anything from deleting backup files.
 
  • Like
Reactions: Der.Reisende
D

Deleted member 65228

So if you keep your data files off your PC/laptop and uses Shadow Defender then Rapid Ransomware will have no chance to do its work, right?
On reboot the changes will be reverted so yes you will be safe against the encryption procedure. However, data theft can still occur in the environment. Simply relying on Shadow Defender to make you invincible will never go well because there are many attack vectors you may not even be aware of.

For example, did you know it is incredibly easy for an attacker to steal login credentials stored by your web-browser? Despite encryption procedures and file locking, it's incredibly easy for them to do it. And, an attacker can even impersonate another user account to steal them across multiple sessions, even if the targeted user account is not signed in.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top