Technical Breakdown – “droprapid” Ransomware (file-marker: “.droprapid”)

1. File Extension & Renaming Patterns

Confirmation of File Extension: The malware appends exactly “.droprapid” – always lower-case, no space, no randomised suffix.
Renaming Convention:
– Original name is always preserved, extension appended (e.g. Invoice_April.xlsx.droprapid).
– Deeper-level folders are NOT renamed; only the file names (plus the new extension) change.
– On network shares it does the same, so mapped drives show the extra extension instantly – an easy visual giveaway that the encryption job has reached that location.

First publicly-reported samples: 21 Oct 2023 (uploaded to VirusTotal from the LATAM region).
Bulk visibility through ID-Ransomware & Twitter telemetry: mid-Nov 2023 → Jan 2024.
Current status: “circulating in the wild but still limited volume”; no spam-campaign peaks since Feb-2024, indicating mostly targeted RDP or exposed-service compromise rather than mass e-mail waves.

Exposed RDP / RDP brute-force leading to hands-on-keyboard deployment of dropper.
Phishing (e-mail with ISO / ZIP containing a malformed .HTA). The HTA fetches a second-stage PowerShell that downloads the main “droprapid.exe”.
Public-facing but un-patched services:
– Windows MSHTML / CVE-2021-40444 (remote-HTML template loader).
– PaperCut NG/MF exploit chain (CVE-2023-27350) observed in one MSP incident (March-2024).
No evidence of worm-like SMBv1/EternalBlue capability at this time; lateral movement relies on automated RDP, PsExec, or WMI once an initial box is under attacker control.

Remove RDP from the Internet or shield behind VPN + MFA; move to RDP-Gateway where business-critical.
Enforce strong, unique passwords; deploy account-lockout & CAPTCHA on RDP logon.
Patch MSHTML (all Office/Windows updates labelled “CVE-2021-40444”, plus current Patch-Tuesday roll-ups).
Patch PaperCut/Follow-Me print services (CVE-2023-27350, CVE-2023-27351).
Disable macro execution from the Internet; block ISO, VHD, JAR, HTA, PS1 file types at the e-mail gateway.
Use Windows Defender Exploit Guard / ASR rules:
– Block executable content from e-mail client and webmail.
– Block Office apps creating executable content.
– Block process-creation from PSExec & WMI commands (helps stop later-stage manual deployment).
Maintain offline, versioned backups (3-2-1 rule); store credentials for backup repo in a different IdP/tenant to prevent “delete-all-permissions” via compromised AD account.

Physically isolate (unplug NIC / disable Wi-Fi) to stop spread.
Boot into Safe-Mode-with-Networking or mount the system disk on a clean workstation.
Remove persistence artefacts:
– Scheduled Task named “BrowserUpdateCheck” pointing to “%AppData%\Droprapid\drp.exe”.
– Registry Run key “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\drpstat“.
Delete the droprapid folders:
– %ProgramData%\drpCache
– %AppData%\Droprapid
– Any user-profile folder that contains “drp.exe” with a compile-time close to infection date.
Run a full AV/EDR scan (Defender or vendor of choice) to eradicate remaining executables / PS scripts.
BEFORE restoring data, wipe the OS volume and rebuild/re-image; alternatively roll back the VM from a snapshot taken PRIOR to first encryption timestamp (check file creation time of the ransom note “readme Droprapid.txt”).

There is NO free decryptor. droprapid uses a hybrid scheme (per-file AES-256 key, RSA-2048 public key embedded in binary). Private keys are stored on attacker side only.
Reconstruction methods:
– Restore from off-line backup.
– If a Volume-Shadow copy survives (droprapid does NOT reliably purge them) run: vssadmin list shadows → use ShadowCopy-viewer or Windows “Previous Versions” tab.
– Search your e-mail server / OneDrive / DropBox for out-of-sync copies; attacker does not reach SaaS unless synced drive was mounted and enumerated.
– Paying the ransom: groups asks 0.032-0.07 BTC (≈ $1,200-$2,500), e-mail address [email protected]; however payment does not guarantee a working decryptor – opportunity for double-extortion data leak exists, so evaluate legal/compliance risks beforehand.
Essential patches/tools:
– Windows Security baseline KB5028185 (Aug-2023) or newer.
– Microsoft Safety Scanner (latest) to clean remnants.
– PaperCut patch 20.1.7 / 21.2.11 / 22.0.5 or newer.
– CrowdStrike / SentinelOne customers: the behavioural indicators (“drp.exe+ransom-note simultaneous creation”) are blocked generically; make sure you are on sensor ≥ 7.x.

No built-in data-exfil module (no double-extortion AUTOMATIC upload), BUT attackers manually stage “MegaSync” or “rclone” afterwards – treat every incident as a potential breach if you see MEGASync.exe, rclone.exe, or large outbound transfers to “storage.googleapis.com” shortly before encryption hit.
“readme Droprapid.txt” places itself in every folder it touches – contents are bilingual (EN/ES) and correctly grammatic; it is the easiest IoC to hunt for.
Deletes Windows Event Logs (“wevutil cl application / security / system”) to hinder forensics – collect logs centrally (WEF/SIEM) BEFORE the wipe.
XORs the first 16 bytes of the ransom note with 0x35 to avoid static signatures – generic string search for “droprapid” will still hit because the text is plain inside memory.
Wider implication: droprapid’s codebase overlaps >70% with “RedRansom” (mid-2022); what changed is the added anti-shadow-copy feature and a reputation-sanitised decryptor site (Tor v3). Expect future variants to fix the incomplete VSS purge routine and to embed a data-theft module, raised to double-extortion standard.

Keep your offline backups safe, patch externally facing services, and remember: once you see “.droprapid” on a share, power down – minutes matter.