Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Unknown
  • MD5 : ed40e7f36a1902e5508b42755bfa305d
  • Major Detection Name : Ransom.Rapid (Malwarebytes), Ransom:Win32/Rapid.A!MTB (Microsoft)
  • Encrypted File Pattern : <Random Filename>.guesswho
  • Malicious File Creation Location :
     - C:\temp\wupdate.exe
     - C:\Users\%UserName%\AppData\Roaming\info.exe
     - C:\Users\%UserName%\AppData\Roaming\recovery.txt
     - C:\Windows\System32\Tasks\Encrypter
     - C:\Windows\System32\Tasks\EncrypterSt
  • Payment Instruction File : How Recovery Files.txt / / recovery.txt
  • Major Characteristics :
     - Offline Encryption
     - Disable and Blocks Command Prompt (cmd.exe) and Task Manager (Taskmgr.exe)
     - Delete Hyper-V and SQL services (sc delete "vmickvpexchange", sc delete "vmicshutdown", sc delete "vmicrdv", sc delete "MSSQLFDLauncher", sc delete "SQLSERVERAGENT", sc delete "SQLTELEMETRY" etc.)
     - Block SQL processes execution (MsDtsSrvr.exe, msmdsrv.exe, sqlbrowser.exe, sqlceip.exe, sqlservr.exe, sqlwriter.exe etc.)
     - Delete Anti-Virus services (sc delete "AVP18.0.0", sc delete "ekrn", sc delete "klim6", sc delete "TmFilter", sc delete "TMLWCSService", sc delete "WRSVC" etc)
     - Block Anti-Virus processes execution (AvastUI.exe, avp.exe, egui.exe, MsMpEng.exe, ntrtscan.exe, WRSA.exe)
     - Disable system restore (wbadmin DELETE SYSTEMSTATEBACKUP, wmic SHADOWCOPY DELETE, vssadmin.exe Delete Shadows /All /Quiet, bcdedit.exe /set {default} recoveryenabled No, bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures)
     - Adds Encrypter to scheduler to execute "%AppData%\info.exe" every minute
     - Adds EncrypterSt to scheduler to execute "%AppData%\info.exe" at user login
     - Displays ransom note (notepad.exe C:\Users\%UserName%\AppData\Roaming\recovery.txt) when user executes encrypted file (<Random Filename>.guesswho)