A security breach believed to be in the form of Rapid ransomware has occurred,
so we will provide confirmation and warning regarding the situation as follows.

Rapid ransomware

The ransomware in question is called Rapid and appears to be changing all files with the file name and extension .rapid.

How it works

file version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• It is built based on C++ and deletes shadow copies and disables Windows recovery functions and error notifications to make it difficult for users to recover data. The ransomware copies the initial executable file as info.exe to the Roaming folder and registers it in the startup program registry. Additionally, register it in the task schedule to run when you log in to Windows and to run repeatedly every minute. The keys used for obfuscation are additionally stored in a specific location in the registry.

  
  [Figure 3 Dynamic code that issues commands related to shadow copy deletion and commands to restore Windows and disable error notification windows]

  
  [Figure 4 Copy executable file and register startup program dynamic code and actual generated files and registry]

  
  [Figure 5 Dynamic code that registers tasks in Windows' task scheduler and actual created schedule and operation details]

  
  [Figure 6 Dynamic code that stores the key used for obfuscation in the registry and the actual generated registry]

Infection results

The guidance file is created in each path, and the files are changed to when encryption is performed.

[Figure 7 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 8 Block message]

Watch the Rapid blocking video