Severity scale:  

Remove Rapid ransomware (Removal Guide) - Sep 2020 update

removal by Jake Doevan - - | Type: Ransomware

Rapid ransomware — a dangerous cryptovirus that targets users from USA and Europe by using fake IRS emails

The example of Rapid ransomware virus' ransom noteRapid ransomware is a virus that displays brief ransom note.

Questions about Rapid ransomware

Rapid ransomware is a malicious crypto-virus circulating on the Internet since January 2018. During the seven months of its existence, malware has changed four times. The virus encrypts files using AES encryption algorithm and appends .Rapid file extension to each locked file. The latest version hailing from this family – RPD ransomware. It attaches .RPD file extension and drops How Recovery File.txt ransom note instructing the victim on how to contact criminals and send them the requested amount of money. The amount of ransom varies and is mostly selected depending on how many files are encrypted and how soon the victim reaches virus developers.

Name Rapid
Classification Ransomware

Rapid 2.0

Rapid 3.0


Danger level High. Compromises core system's settings and encrypts personal files
File extension .Rapid; .RPD; .EZYMN
Contact email;;;;;;, 
Related files How Recovery Files.txt and !!! txt the README; How Recovery File.txt
Distribution “Please Note – IRS Urgent Message-164” spam email, fake software updates
Countries targeted Spain, France, USA 
Decryptor None
Termination Get rid of ransomware and all its malicious files by scanning your PC with reputable anti-malware software, such as SpyHunter 5Combo Cleaner or Malwarebytes
System fix Repair Windows system damage after malware termination with Reimage Reimage Cleaner Intego

.Rapid ransomware was noticed for the first time at the end of January. Currently, the virus is still active and keeps bothering people from Spain, France, USA, and other world's countries. Thus, we suggest you being extra cautious because, after infiltrating the system, this malware encrypts files and makes them inaccessible. The main difference between this virus and similar file-encrypting viruses is that it remains silent on the system and keeps encrypting new documents created by the user. 

Rapid ransomware, most likely, infiltrates the system with the help of social engineering and malicious spam emails. At the moment the virus spread the first time, Internal Revenue Service (IRS)[1] name was used as a disguise in email letters.

Once inside, it makes system changes and starts scanning the device for the targeted file extensions. Following the successful encryption procedure, the crypto-malware also drops a ransom note called How Recovery Files.txt or !!! txt the README. Both of them contain identical instructions saying: 

All your files have been encrypted by us
If you want to restore files write on e-mail or 

Rapid virus ransom noteOur IT specialists warn that criminals might use different addresses for contact purposes. It is because they try to protect their identities and regularly change the provided emails. Currently, it is found that the following email addresses are linked with Rapid files virus:


Despite the fact that Rapid ransomware drops a ransom note, it's informative. It’s clear, though, that criminals will ask to transfer a particular sum of money. The payment might be set based on the number of encrypted files or how fast a victim sends an email. However, security specialists do not recommend[2] contacting authors of the Rapid virus.

The problem is that no one can assure that crooks have working Rapid ransomware decryptor or they let you use it even if you pay the ransom. Thus, you might increase your loss. Apart from encrypted files, you might lose your money as well.

Thus, if you found your files encrypted by .Rapid file extension, you should focus on cleaning your computer. Ransomware may have injected malicious code into system processes. As a result, your device became sluggish, and programs started crashing. Additionally, malware makes the system vulnerable, and it might open the back doors for other cyber threats. Thus, to avoid possible damage, you’d better remove Rapid ransomware.

Please, do not try to locate and terminate malicious components yourself. It’s a difficult task. For Rapid ransomware removal, you should use reputable security software. If you have problems with virus elimination, please check the instructions below. After that, we suggest using Reimage Reimage Cleaner Intego to repair Windows registry and corrupted system files.

Rapid ransomware illustrationRapid ransomware is a dangerous malware that is capable of encrypting personal files using .rapid or other appending and demanding ransom to be paid for encryption key.

Rapid ransomware versions 

Rapid 2.0 came out in March 2018. This variant excludes Russian-speaking countries from the targeted regions and does not encrypt files of people living in here. Additionally, the virus is adding eight random numbers to encrypted files' extensions and typically uses SHA-256 chipper to encrypt them. The ransom message of this virus displayed in DECRYPT.[5-random-characters].txt file, people are suggested to contact developers via or email addresses. Please, do NOT use them to contact hackers who are hiding behind ransomware. You should run a full system scan with updated anti-spyware first and then rely on our data recovery options.

Rapid 3.0 was discovered in May 2018. This one is targeting English-speaking users in the USA and Europe. An alternative name of the virus – Rapid ransomware v3. Once it finishes modification of target files, ransomware appends [random_numbers].EZYMN file extension. This time, ransom amount was set to 0.7 BTC. The victim is given this email address to contact virus developers: 

RPD ransomware is the newest variant that showed up in June 2018. It carries .RPD file extension and provides victims with two contact emails:, This ransomware creates the unique identification key for each of its victims and drops the How Recovery File.txt file to require the spacial amount of ransom in bitcoin. 

The ransom note of the RPD ransomware reads the following:

Hello, dear friend!
All your files have been ENCRYPTED
Do you really want to restore your files?
Write to our email –
and tell us your unique ID 

Cybercriminals use fake Internal Revenue Service emails to spread .Rapid virus

Recently, cybercriminals who are working behind Rapid virus have started sending emails which claim to be from IRS. The Internal Revenue Service is a tax collection agency from the USA. Most emails come with a subject “Please Note – IRS Urgent Message-164” or similar.

Rapid ransomware spreads via spamRapid ransomware spreads disguised behind fake service emails.

The fake email claims that the victim has not paid the correct amount of tax to the government and had to compensate for. It then encourages the user to open the attachment with “other useful information. Additionally, the person in the email states that the taxpayer only has one day to contact the tax manager; otherwise, fines might be issued.

Thus, cybercrooks are still using social engineering to scare their victims into thinking that there is an extreme urgency to contact the supposed authorities. As soon as the user unzips the attachment, he/she finds a malicious word document where a victim needs to enable macros to proceed with the installation. As soon as that is implemented, Rapid ransomware executes its malicious code.

Fortunately, it is relatively easy to recognize the scam used to spread Rapid ransomware. First of all, IRS does not contact users by email or text messages. Additionally, we must note that the Internal Revenue Service is a US body, the email address comes from the UK, and the file executable is displayed in German. Therefore, watch out for these danger signs. 

Insecure emails are commonly used in spreading ransomware

Criminals often spend much time while trying to develop techniques which would allow them to infect computers easily. So far, the crooks have highly beloved malspam campaigns that have been actively targeting health[3] and other sectors. They send fraudulent emails letters with malicious attachments inside. This way people are tricked to install ransomware by themselves.

However, spam emails are not the only way how hackers distribute high-risk computer infections. According to malware analysts from,[4] malware might enter the system when users:

  • download illegal content;
  • install fake programs or updates;
  • click on malware-laden ads.

Thus, you have to be careful with the content you download from the Internet. Additionally, keep all your software and operating system updated. It prevents malware from using security flaws to launch the attack.[5]

Installing a reputable antivirus is also a good tip for ransomware prevention. However, you should not forget that even the most reliable security program cannot fully protect you from cyber threats if you do not be responsible online.

Remove Rapid ransomware using reputable security software

To remove Rapid ransomware, you should use tools that can be trusted. Only this can ensure that you are avoiding other improved versions of the same virus. In fact, file-encrypting viruses can easily install additional malicious programs and complicate the elimination process. These type of programs are similar, but only IT professionals can get rid of Rapid ransomware manually. 

Automatic Rapid ransomware removal requires you to employ an antivirus. You can use SpyHunter 5Combo Cleaner or Malwarebytes to make the elimination procedure even easier. However, dangerous computer threats tend to block users from downloading professional malware removal tools or performing a scan on the device. Therefore, you can use a few tools to double check. Also, do not forget to fully clean your system and only then attempt to decrypt data.

Unfortunately, Rapid ransomware decryptor is still unavailable because of the extensive encryption algorithm used by the virus. However, you should definitely try the methods provided below that involve third-party software.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove Rapid virus, follow these steps:

Remove Rapid using Safe Mode with Networking

If your anti-virus is blocked by a .rapid virus, you must reboot your computer in Safe Mode with Networking. This procedure will prepare your system for ransomware removal.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Rapid

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Rapid removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Rapid using System Restore

If Safe Mode fails to work for you while trying to get rid of ransomware, try using System Restore method to launch antivirus:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Rapid. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that Rapid removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Rapid from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

To recover encrypted .rapid files, use the following guide. It provides several tips that can be used to unlock locked files and start using them again.

If your files are encrypted by Rapid, you can use several methods to restore them:

Get help from Data Recovery Pro

In case you do not store backups, feel free to use this professional recovery tool.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Rapid ransomware;
  • Restore them.

ShadowExplorer might be useful

If Rapid ransomware failed to delete Shadow Volume Copies, you might take advantage of ShadowExplorer software and recover encrypted data.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Experts are currently working on Rapid ransomware decryptor.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Rapid and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

Removal guides in other languages

Your opinion regarding Rapid ransomware