Rapid ransomware

Rapid ransomware — a dangerous cryptovirus that targets users from USA and Europe by using fake IRS emails

The example of Rapid ransomware virus' ransom note
Rapid ransomware is a virus that displays brief ransom note.

The example of Rapid ransomware virus' ransom note
Rapid ransomware is a virus that displays brief ransom note.

Rapid ransomware is a malicious crypto-virus circulating on the Internet since January 2018. During the seven months of its existence, malware has changed four times. The virus encrypts files using AES encryption algorithm and appends .Rapid file extension to each locked file. The latest version hailing from this family – RPD ransomware. It attaches .RPD file extension and drops How Recovery File.txt ransom note instructing the victim on how to contact criminals and send them the requested amount of money. The amount of ransom varies and is mostly selected depending on how many files are encrypted and how soon the victim reaches virus developers.

Name Rapid
Classification Ransomware

Rapid 2.0

Rapid 3.0


Danger level High. Compromises core system’s settings and encrypts personal files
File extension .Rapid; .RPD; .EZYMN
Contact email [email protected]; [email protected]; [email protected][email protected]; [email protected][email protected][email protected], [email protected]
Related files How Recovery Files.txt and !!! txt the README; How Recovery File.txt
Distribution “Please Note – IRS Urgent Message-164” spam email, fake software updates
Countries targeted Spain, France, USA 
Decryptor None
Termination Get rid of ransomware and all its malicious files by scanning your PC with reputable anti-malware software, such as SpyHunter 5Combo Cleaner or Malwarebytes
System fix Repair Windows system damage after malware termination with Reimage Reimage Cleaner

.Rapid ransomware was noticed for the first time at the end of January. Currently, the virus is still active and keeps bothering people from Spain, France, USA, and other world’s countries. Thus, we suggest you being extra cautious because, after infiltrating the system, this malware encrypts files and makes them inaccessible. The main difference between this virus and similar file-encrypting viruses is that it remains silent on the system and keeps encrypting new documents created by the user. 

Rapid ransomware, most likely, infiltrates the system with the help of social engineering and malicious spam emails. At the moment the virus spread the first time, Internal Revenue Service (IRS)[1] name was used as a disguise in email letters.

Once inside, it makes system changes and starts scanning the device for the targeted file extensions. Following the successful encryption procedure, the crypto-malware also drops a ransom note called How Recovery Files.txt or !!! txt the README. Both of them contain identical instructions saying: 

All your files have been encrypted by us
If you want to restore files write on e-mail  [email protected] or [email protected]

Rapid virus ransom note

Rapid virus ransom note

Our IT specialists warn that criminals might use different addresses for contact purposes. It is because they try to protect their identities and regularly change the provided emails. Currently, it is found that the following email addresses are linked with Rapid files virus:

Despite the fact that Rapid ransomware drops a ransom note, it’s informative. It’s clear, though, that criminals will ask to transfer a particular sum of money. The payment might be set based on the number of encrypted files or how fast a victim sends an email. However, security specialists do not recommend[2] contacting authors of the Rapid virus.

The problem is that no one can assure that crooks have working Rapid ransomware decryptor or they let you use it even if you pay the ransom. Thus, you might increase your loss. Apart from encrypted files, you might lose your money as well.

Thus, if you found your files encrypted by .Rapid file extension, you should focus on cleaning your computer. Ransomware may have injected malicious code into system processes. As a result, your device became sluggish, and programs started crashing. Additionally, malware makes the system vulnerable, and it might open the back doors for other cyber threats. Thus, to avoid possible damage, you’d better remove Rapid ransomware.

Please, do not try to locate and terminate malicious components yourself. It’s a difficult task. For Rapid ransomware removal, you should use reputable security software. If you have problems with virus elimination, please check the instructions below. After that, we suggest using Reimage Reimage Cleaner to repair Windows registry and corrupted system files.

Rapid ransomware illustration
Rapid ransomware is a dangerous malware that is capable of encrypting personal files using .rapid or other appending and demanding ransom to be paid for encryption key.

Rapid ransomware illustration
Rapid ransomware is a dangerous malware that is capable of encrypting personal files using .rapid or other appending and demanding ransom to be paid for encryption key.

Rapid ransomware versions 

Rapid 2.0 came out in March 2018. This variant excludes Russian-speaking countries from the targeted regions and does not encrypt files of people living in here. Additionally, the virus is adding eight random numbers to encrypted files’ extensions and typically uses SHA-256 chipper to encrypt them. The ransom message of this virus displayed in DECRYPT.[5-random-characters].txt file, people are suggested to contact developers via [email protected] or [email protected] email addresses. Please, do NOT use them to contact hackers who are hiding behind ransomware. You should run a full system scan with updated anti-spyware first and then rely on our data recovery options.

Rapid 3.0 was discovered in May 2018. This one is targeting English-speaking users in the USA and Europe. An alternative name of the virus – Rapid ransomware v3. Once it finishes modification of target files, ransomware appends [random_numbers].EZYMN file extension. This time, ransom amount was set to 0.7 BTC. The victim is given this email address to contact virus developers: [email protected]

RPD ransomware is the newest variant that showed up in June 2018. It carries .RPD file extension and provides victims with two contact emails: [email protected], [email protected]. This ransomware creates the unique identification key for each of its victims and drops the How Recovery File.txt file to require the spacial amount of ransom in bitcoin. 

The ransom note of the RPD ransomware reads the following:

Hello, dear friend!
All your files have been ENCRYPTED
Do you really want to restore your files?
Write to our email – [email protected]
and tell us your unique ID 

Cybercriminals use fake Internal Revenue Service emails to spread .Rapid virus

Recently, cybercriminals who are working behind Rapid virus have started sending emails which claim to be from IRS. The Internal Revenue Service is a tax collection agency from the USA. Most emails come with a subject “Please Note – IRS Urgent Message-164” or similar.

Rapid ransomware spreads via spam
Rapid ransomware spreads disguised behind fake service emails.

Rapid ransomware spreads via spam
Rapid ransomware spreads disguised behind fake service emails.

The fake email claims that the victim has not paid the correct amount of tax to the government and had to compensate for. It then encourages the user to open the attachment with “other useful information. Additionally, the person in the email states that the taxpayer only has one day to contact the tax manager; otherwise, fines might be issued.

Thus, cybercrooks are still using social engineering to scare their victims into thinking that there is an extreme urgency to contact the supposed authorities. As soon as the user unzips the attachment, he/she finds a malicious word document where a victim needs to enable macros to proceed with the installation. As soon as that is implemented, Rapid ransomware executes its malicious code.

Fortunately, it is relatively easy to recognize the scam used to spread Rapid ransomware. First of all, IRS does not contact users by email or text messages. Additionally, we must note that the Internal Revenue Service is a US body, the email address comes from the UK, and the file executable is displayed in German. Therefore, watch out for these danger signs. 

Insecure emails are commonly used in spreading ransomware

Criminals often spend much time while trying to develop techniques which would allow them to infect computers easily. So far, the crooks have highly beloved malspam campaigns that have been actively targeting health[3] and other sectors. They send fraudulent emails letters with malicious attachments inside. This way people are tricked to install ransomware by themselves.

However, spam emails are not the only way how hackers distribute high-risk computer infections. According to malware analysts from LesVirus.fr,[4] malware might enter the system when users:

  • download illegal content;
  • install fake programs or updates;
  • click on malware-laden ads.

Thus, you have to be careful with the content you download from the Internet. Additionally, keep all your software and operating system updated. It prevents malware from using security flaws to launch the attack.[5]

Installing a reputable antivirus is also a good tip for ransomware prevention. However, you should not forget that even the most reliable security program cannot fully protect you from cyber threats if you do not be responsible online.

Remove Rapid ransomware using reputable security software

To remove Rapid ransomware, you should use tools that can be trusted. Only this can ensure that you are avoiding other improved versions of the same virus. In fact, file-encrypting viruses can easily install additional malicious programs and complicate the elimination process. These type of programs are similar, but only IT professionals can get rid of Rapid ransomware manually. 

Automatic Rapid ransomware removal requires you to employ an antivirus. You can use SpyHunter 5Combo Cleaner or Malwarebytes to make the elimination procedure even easier. However, dangerous computer threats tend to block users from downloading professional malware removal tools or performing a scan on the device. Therefore, you can use a few tools to double check. Also, do not forget to fully clean your system and only then attempt to decrypt data.

Unfortunately, Rapid ransomware decryptor is still unavailable because of the extensive encryption algorithm used by the virus. However, you should definitely try the methods provided below that involve third-party software.

[youtube egxqV1pBf6U]

Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

This entry was posted on 2020-02-19 at 05:23 and is filed under Ransomware, Viruses.