How to recover .rapid files inside Dropbox – ransomware

Scenario

Files in your Dropbox have been encrypted by RAPID ransomware.

The ransomware will scan the computer for files to encrypt. When a file is encrypted it will have the .rapid extension appended to the encrypted file’s name. When the ransomware has finished encrypting a computer it will create ransom notes named How Recovery Files.txt in various folders.

Solution

It looks like the virus first deletes a file and then enrypts it and adds a .rapid extension. If you’re using Dropbox then you can still recover those deleted files. They can be restored using built-in fuction in Dropbox web interface.

As you can see here I lost my files in this folder and they were all encrypted and renamed by the virus:

Upon clicking on ‘Show deleted files’ you will see that the orginal files are still recoverable:

Instead of clicking on all of them to restore you can simply delete the whole folder and then restore it. This will restore all deleted files inside it including .rapid files and the orginal ones.

Afterwards you can simply delete the encrypted .rapid files using any file manager on your client machine. This will leave only healthy files inside the folder.

Here I’m using Total Commander to mark .rapid files and delete them all at once.

Result

Files inside your Dropbox are now recovered and those with .rapid extension are deleted. Of course this assumes that you’ve eliminated the source of the threat from your machine(s) before applying this fix.

Leave a Reply

Your email address will not be published.