Severity scale:  
  (98/100)

Rapid ransomware. How to remove? (Uninstall guide)

removal by Jake Doevan - - | Type: Ransomware

Rapid ransomware – crypto-malware targeting Spain, France, and USA PC users

Image of Rapid ransomware virus

Questions about Rapid ransomware

Rapid ransomware is a malicious crypto-virus circulating on the Internet since January 2018. It spreads via “Please Note – IRS Urgent Message-164” spam emails and targets Spain, France, and USA users in particular. Following the execution of ransomware payload, AES ciphers[1] is enabled, which encrypts data and append .Rapid file extension to each locked file. It also drops How Recovery Files.txt or !!! txt the README ransom note, which instructs the victim to contact the rapid@rape.lol or airkey@rape.lol email address. 

Name Rapid
Classification Ransomware
Danger level High. Compromises core system's settings and encrypts personal files
File extension .Rapid
Related files How Recovery Files.txt and !!! txt the README
Distribution “Please Note – IRS Urgent Message-164” spam email, fake software updates
Countries targeted Spain, France, USA 
Get rid of ransomware easily with the help of Reimage

.Rapid ransomware was noticed for the first time at the end of January. Currently, the virus is still active and keeps bothering people from Spain, France, USA and other world's countries. Thus, we suggest you being extra cautious because, after infiltrating the system, this malware encrypts files and makes them inaccessible. The main difference between this virus and similar file-encrypting viruses is that it remains silent on the system and keeps encrypting new documents created by the user. 

Rapid ransomware, most likely, infiltrates the system with the help of social engineering and malicious spam emails. At the moment, the virus spreads under Internal Revenue Service (IRS) name.

Rapid virus ransom note

Once inside, it makes system changes and starts scanning the device for the targeted file extensions. Following the successful encryption procedure, the crypto-malware also drops a ransom note called How Recovery Files.txt or !!! txt the README. Both of them contain identical instructions saying: 

Hello,
All your files have been encrypted by us
If you want to restore files write on e-mail  rapid@rape.lol or airkey@rape.lol. 

Our IT specialists warn that criminals might use different addresses for contact purposes. It is because they try to protect their identities and regularly change the provided emails. Currently, it is found that the following email addresses are linked with Rapid files virus:

  • rapid@rape.lol; 
  • jpcrypt@rape.lol;
  • fileskey@qq.com;
  • fileskey@cock.li;
  • frenkmoddy@tuta.io;
  • unlockforyou@india.com;
  • support@fbamasters.com;
  • airkey@rape.lol;

Despite the fact that .Rapid ransomware drops a ransom note, it's absolutely informative. It’s clear, though, that criminals will ask to transfer a particular sum of money. The payment might be set based on the number of encrypted files or how fast a victim sends an email. However, security specialists do not recommend[2] contacting authors of Rapid virus.

The problem is that no one can assure that crooks have working Rapid decryptor or they let you use it even if you pay the ransom. Thus, you might increase your loss. Apart from encrypted files, you might lose your money as well.

Thus, if you found your files encrypted by .Rapid file extension, you should focus on cleaning your computer. Ransomware may have injected malicious code into system processes. As a result, your device became sluggish, and programs started crashing. Additionally, malware makes the system vulnerable, and it might open the backdoor for other cyber threats. Thus, to avoid possible damage, you’d better remove Rapid ransomware.

Please, do not try to locate and terminate malicious components yourself. It’s a difficult task. For Rapid ransomware removal, you should use reputable security software, such as Reimage. If you have problems with virus elimination, please check the instructions below.

Hackers pretend to be from Internal Revenue Service to distribute Rapid ransomware

Recently, cybercriminals who are working behind Rapid virus have started sending emails which claim to be from IRS. The Internal Revenue Service is tax collection agency from the USA. Most emails come with a subject “Please Note – IRS Urgent Message-164” or similar.

Rapid ransomware spreads via spam

The fake email claims that the victim has not paid the correct amount of tax to the government and has to compensate for. It then encourages the user to open the attachment with “other useful information. Additionally, the person in the email states that the taxpayer only has one day to contact the tax manager; otherwise, fines might be issued.

Thus, cybercrooks are still using social engineering to scare their victims into thinking that there is an extreme urgency to contact the supposed authorities. As soon as the user unzips the attachment, he/she finds a malicious word document where a victim needs to enable macros to proceed with the installation. As soon as that is implemented, Rapid ransomware executes its malicious code.

Fortunately, it is relatively easy to recognize the scam used to spread Rapid ransomware. First of all, IRS does not contact users by email or text messages. Additionally, we must note that Internal Revenue Service is a US body, the email address comes from the UK, and the file executable is displayed in German. Therefore, watch out for these danger signs. 

Other known peculiarities of ransomware distribution

Criminals often spend much time while trying to develop techniques which would allow them to infect computers easily. So far, the crooks have highly beloved malspam campaigns. They send fraudulent emails letters with malicious attachments inside. This way people are tricked to install ransomware by themselves.

However, spam emails are not the only way how hackers distribute high-risk computer infections. According to malware analysts from LesVirus.fr,[3] malware might enter the system when users:

  • download illegal content;
  • install fake programs or updates;
  • click on malware-laden ads.

Thus, you have to be careful with content you download from the Internet. Additionally, keep all your software and operating system updated. It prevents malware from using security flaws to launch the attack.

Installing reputable antivirus is also a good tip for ransomware prevention. However, you should not forget that even the most reliable security program cannot fully protect you from cyber threats if you do not be responsible online.

Make Rapid virus removal easy

It is quite evident that ransomware-type infections are extremely dangerous. In fact, file-encrypting viruses can easily install additional malicious programs and complicate the elimination process. However, only IT professionals can get rid of Rapid ransomware manually. Others should get help from security software.

Automatic Rapid ransomware removal requires you to employ an antivirus. You can use Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus, or Malwarebytes Anti Malware to make the elimination procedure even easier. However, dangerous computer threats tend to block users from downloading professional malware removal tools.

Likewise, you should first boot your computer into Safe Mode to remove Rapid ransomware. For that, use the instructions below and carefully follow each step. Shortly after, you will be able to head to data recovery. 

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Rapid ransomware you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Rapid ransomware. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual Rapid virus Removal Guide:

Remove Rapid using Safe Mode with Networking

If your anti-virus is blocked by a .rapid virus, you must reboot your computer in Safe Mode with Networking. This procedure will prepare your system for ransomware removal.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Rapid

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Rapid removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Rapid using System Restore

If Safe Mode fails to work for you while trying to get rid of ransomware, try using System Restore method to launch antivirus:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Rapid. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Rapid removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Rapid from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

To recover encrypted .rapid files, use the following guide. It provides several tips that can be used to unblock locked files and start using them again.

If your files are encrypted by Rapid, you can use several methods to restore them:

Get help from Data Recovery Pro

In case you do not store backups, feel free to use this professional recovery tool.

ShadowExplorer might be useful

If Rapid ransomware failed to delete Shadow Volume Copies, you might take advantage of ShadowExplorer software and recover encrypted data.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Experts are currently working on Rapid's decryptor.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Rapid and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

References

Removal guides in other languages