Rapture Ransomware: A Deep Dive into the Silent Cyber… | Intel 471 Skip to content

Rapture Ransomware: A Deep Dive into the Silent Cyber Storm

May 10, 2023
Homepage Hero

Overview of the Rapture Ransomware

Rapture Ransomware is a newly-emerging threat, distinguishing itself by its lean but effective approach. Operating within a notably short lifecycle of 3-5 days, its objective is to leave as minimal a footprint as possible, thus making its actions harder to trace and analyze. An added layer of complexity comes from its use of Themida, a commercial software packer frequently employed to shield software from reverse engineering. This adds further impediments to analysis due to the packer's anti-debugging, entry point protection, and dynamic encryption features. The sectors currently known to be in Rapture's crosshairs include healthcare, education, and manufacturing.

Current Campaign Details

Rapture was first identified in early 2023, and it bears some resemblances to another variant known as "Paradise", particularly in its use of an RSA key configuration file and its compilation as a .NET executable. However, the unidentified threat actors behind Rapture and its unique behavioral patterns set it apart. Rapture's targets are typically identified through a combination of system vulnerability scans, spear-phishing emails, and the exploitation of weak systems and software.

Technical Details of the Attack from Rapture Ransomware

Rapture Ransomware's tactics place emphasis on stealth and creating difficulties for analysis. It is commonly delivered through phishing emails or by exploiting system and software vulnerabilities. Once inside the system, Rapture introduces a file with the extension ".log" and performs an initial reconnaissance that includes an inspection of firewall policies, system tool versioning, and any potentially exploitable Log4J vulnerabilities.

In its quest for elevated privileges, Rapture launches explorer.exe using the "/NOUACCHECK" command, allowing it to inherit the parent process's elevated status. This process is then used to execute the second-stage Cobalt Strike beacon downloader, which connects to a specific address to download the main beacon. This main beacon is concealed within a JavaScript file, which is then decrypted and executed. The same second-stage beacon is also used to obtain backdoor commands and potentially other payloads.

During the encryption phase, Rapture leaves notes in every directory it encrypts, often using hard-coded character strings as extensions. As we learn more about this variant and its evolving campaign, we will continue to provide updates in our Threat Hunt Packages.