We help IT Professionals succeed at work.

Has anyone found a decryptor for ransomware *.rapid?

memewarren asked
I need a decryptor for ransomware *.rapid.  This ransomware has manifested itself on administrative files for a school.  I don't know if anyone has been able to find a solution for this at this time.
Watch Question

Dr. KlahnPrincipal Software Engineer

According to the No More Ransom project, none is available at this time.


Over the last few months a new wrinkle has come along in ransomware.  The criminals now take your money and don't deliver the key.  In the past there was about a 1 in 3 chance of getting a key; at present it looks like that's going to become a zero percent chance.  

What you can do:

If the data on the system is irreplaceable and has long-term value, make a full image of the drive to a removable USB device, label it "INFECTED DO NOT USE", put it in a bag, seal the bag, and label the bag "RANSOMWARE INFECTED DO NOT USE."  This won't prevent a random idiot from using the drive and infecting other systems, but at least they won't have any excuse for it.

Then erase the drive with a product such as Darik's Boot and Nuke, and restore from the most recent full backup that is known to be uninfected.  If there is no backup, reload Windows from scratch.  Once a system is infected with an aggressive virus like this one, the drive cannot be trusted without complete erasure.

The ransomware uses a 2048-bit key and encryption keys are now generated per-system to avoid one-key-unlocks-all, so it's unlikely that it will ever be decrypted unless there's an error in the code.

There's a discussion of the topic at the link below:

JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

You need to now take preventative actions:

1. Keep regular and complete back ups.
2. Implement a top notch spam filter (this stuff normally comes by email)
3. Train people not to open emails from strangers.
4. Train people not to browse to dodgy web sites.

As stated above, little to no hope of recovering your data so you must start again.
btanExec Consultant
Distinguished Expert 2019

This is also was asked in another EE question. In short, no decryptor and please do not pay ransom as instructed otherwise you are supporting the attacker doing.

Only rely on your latest backup and quickly isolated that infected machine and rebuild it. If I will you then it is better to find out how the infection would have penetrated into the machine. The threats may still be lurking around e.g. infected email attachment, temp folder with remaining payload files, infected USB drive, infected file shares, etc. Err on safe side consider change password for victim if there arw observed suspicious activity on the online Web mail or social accounts. The preventive measures as shared by experts are important moving forward otherwise recurrence is expected.

How to remove Rapid Ransomware and decrypt .rapid or .paymeme files:

What can you do if you’ve become the victim of a ransomware attack: