Paradise Ransomware is a file-encrypting virus that surfaced to lime-light for the first time in September 2017. For the past two years, it has been encrypting user’s files using highly-complex Encryption Algorithm, RSA-1024.
In addition to that, Paradise Ransomware is being aggressively distributed as a Ransomware as a Service (RaaS) to the interested affiliates. The developers of Paradise File virus allow the affiliates to customize RaaS by changing ransom amount, contact e-mail address & distribution techniques.
By doing so, developers avoid shouldering the task of malware distribution & use the affiliates to propagate Paradise Ransomware. They generate hefty illicit revenue by charging a certain percentage of ransom amounts from the affiliates.
Some of the common spread techniques of Paradise Ransomware include infected spam e-mail attachments, malware-laden websites & suspicious links.
Once the system is infected, Paradise file virus appends the targeted file names with .paradise extension. However, paradise Ransomware received multiple updates from its developers in the span of two years. Some of the extensions that Paradise variants use are .b1, .sambo, .p3rf0rm4, .b29, .prt, .sell, .ransom & .logger.
Once files are encrypted, Paradise Ransomware drops ransom-demanding text notes on the victim’s system. The demanded ransom amount varies from $500 to $1500 (in bitcoins).
Let us understand what more Paradise Ransomware is capable of doing of & how can one prevent falling victim to this nasty threat.
|Symptoms||It infects your system with the motive of encrypting the files & making them inaccessible. It drops a ransom-demanding note on the victims’s desktop.|
|Damage||Encrypted files are inaccessible. The malware may further increase malicious payload on your system.|
|Removal||Download Removal Tool|
Paradise Ransomware is a devious crypto-virus that encrypts the files using complex Encryption Algorithms such as RSA-1024 & RSA-2048. Not only this, it is also being sold as Ransomware as a Service (RaaS) on the dark web to the interested affiliates.
The prime method of its distribution is Infected Spam E-mail Attachments. A mere click on the malicious Zip attachment unpacks Paradise Ransomware & installs it on the system.
Once infected, Paradise employs Encryption Algorithms to encrypt targeted file extensions. It is capable of encrypting user-generated files such as:
The encrypted files are appended with-
For example: A file named presentation1.ppt might be renamed as “presentation1.pptid-xxxxxxxx.[ firstname.lastname@example.org].paradise”.
Besides encrypting, it deletes shadow copies of files, thus, restricting the users from restoring them.
According to the sources, Paradise Ransomware is being distributed as a Service on the dark web since September 2017. Thus, it has enabled interested affiliates to lock the networks of the victims & hold them for hefty ransom amount.
However, cyber-security analysts do not have much relevant information about Paradise RaaS platform. It is being managed by anonymous personalities on the Dark Web.
Initial Paradise Attacks were observed in various parts of Western Europe & United States. The RaaS mainly targeted Windows OS & ran as “DP_Main.exe” on the infected system.
The developers of Paradise RaaS allow the third-party affiliates to customize & distribute various strains of Paradise Ransomware. In return, the developers receive a certain percentage of the ransom amount & generate huge revenue. One of the well-known variants of Paradise RaaS is TeslaWare.
Some of the extensions of the updated variants of Paradise RaaS are:
Following the successful encryption of the targeted files, Paradise Ransomware drops three text files on the victim’s desktop. These include:
The file named Files.txt contains details of the encrypted user file extensions. The second file named Failed.txt has the list of files that could not be encrypted due to some reason.
The most important file is #DECRYPT MY FILES#.txt, which contains ransom-demanding message from the cyber-crooks. The note describes that the files are encrypted & could not be restored without a decryption key. It further suggests the victims to contact the hackers on the provided e-mail address in order to restore the encrypted files.
Encryption Algorithm, RSA-1024 employed by Paradise Ransomware to encrypt the files generates two private keys – public encryption key & private encryption key. These keys are vital for decrypting the files. Since these keys are stored on hacker’s remote server, they demand hefty ransom amount in exchange of the keys.
While ransom amount (to be paid in Bitcoins) is not specified, it typically ranges from $500 to $1500.
Besides, hackers permit the victims to send any three files (up to 1 MB of size altogether) on the provided e-mail address. The developers offer to decrypt these files for absolutely free of charge & send it back to the victims as a “guarantee” of decryption.
You might wonder if cyber-crooks could be trusted! Well, cyber-security analysts suggest not contacting the hackers. In most of the cases, hackers ignore responding to victims after receiving ransom amount.
Paying the ransom amount doesn’t guarantee decryption of files in any way. Instead, the users lose their money & data permanently and support cyber-crooks in their wicked motives.
Therefore, we do not support reaching out to hackers & paying the ransom.
While no tools are available to crack RSA cryptography as for now, we suggest restoring the system & encrypted files from a backup.
The cyber-criminals use various strategies for malware distribution which include –
While tools for cracking RSA Cryptography are not available at this time, here are few common measures that have been concluded after research & analysis by our analysts.
To restart the system to Safe Mode with Networking, if already switched ON then follow the below steps:
5 Once the system restarts, click on the username and enter the password (if any) to log in.
If the system restore was enabled for both, system and user files, then you can recover your personal data through Windows Previous Version, provided the ransomware has not damaged the backup files. To restore your data follow the instructions given below –
Continue to follow steps 4 & 5 of Method 2 to restore the System Files and settings.
Subscribe to our newsletter today to receive updates on the Latest News and Threats.
The researchers at Virus Removal Guidelines are dedicated to track down the latest vulnerabilities which may infringe your system security. Our team of expert performs a detailed research about every malware infection before educating our users about the same.
Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.