Overview of the Rapture Ransomware
Rapture Ransomware is a newly-emerging threat, distinguishing itself by its lean but effective approach. Operating within a notably short lifecycle of 3-5 days, its objective is to leave as minimal a footprint as possible, thus making its actions harder to trace and analyze. An added layer of complexity comes from its use of Themida, a commercial software packer frequently employed to shield software from reverse engineering. This adds further impediments to analysis due to the packer’s anti-debugging, entry point protection, and dynamic encryption features. The sectors currently known to be in Rapture’s crosshairs include healthcare, education, and manufacturing.
Current Campaign Details
Rapture was first identified in early 2023, and it bears some resemblances to another variant known as “Paradise”, particularly in its use of an RSA key configuration file and its compilation as a .NET executable. However, the unidentified threat actors behind Rapture and its unique behavioral patterns set it apart. Rapture’s targets are typically identified through a combination of system vulnerability scans, spear-phishing emails, and the exploitation of weak systems and software.
Technical Details of the Attack from Rapture Ransomware
Rapture Ransomware’s tactics place emphasis on stealth and creating difficulties for analysis. It is commonly delivered through phishing emails or by exploiting system and software vulnerabilities. Once inside the system, Rapture introduces a file with the extension “.log” and performs an initial reconnaissance that includes an inspection of firewall policies, system tool versioning, and any potentially exploitable Log4J vulnerabilities.
During the encryption phase, Rapture leaves notes in every directory it encrypts, often using hard-coded character strings as extensions. As we learn more about this variant and its evolving campaign, we will continue to provide updates in our Threat Hunt Packages.