Paradise Ransomware Uses RSA Encryption to Encrypt Your Files

Android

Prime VIP
Staff member
Paradise Ransomware may be a Ransomware as a Service (RaaS)
The Paradise Ransomware appears to be a Ransomware as a Service or a RaaS. A RaaS is where a ransomware developer creates a ransomware, manages its development, and operates the Command and Control server in exchange for a small cut of all ransom payments made by victims. The job of the affiliate, who gets the rest of the ransom payment, is to distribyte the ransomware as they see fit.

At this time, emails associated with this RaaS are:

tankpolice@aolonline.top
edinstveniy_decoder@aol.com
info@decrypt.ws

How Paradise Ransomware Encrypts a Computer
At this time, it is not currently known how Paradise infects a computer, but from entries in the event log of an infected computer, it may be via hacked Remote Desktop services. Once executed, though, Paradise will relaunch itself in order to gain administrative privileges and then generate a unique RSA-1024 key. This key is then used to encrypt all of the files on each drive on the computer.

When encrypting a file it will append the string id-[affiliate_id].[affiliate_email].paradise to the file name. For example, a file named test.jpg would be encrypted test.jpgid-3VwVCmhU.[info@decrypt.ws].paradise.
encryptedfolder-1.jpg

As Paradise uses RSA encryption to encrypt a file, the encryption process is very slow, which hopefully allows a victim time to detect the encryption taking place and stop it.

When the ransomware has finished encrypting a computer, it will drop ransom notes named #DECRYPT MY FILES#.txt in folders that a file was encrypted. This ransom note will contain the affiliates email address and instructions on how to make the payment.

ransomnote-1.jpg

Paradise will then extract a ****** encoded wallpaper image and save it to the %Temp% folder as desk.bmp. The ransomware will then set this image as a victim's desktop background.
wallpaper-1.jpg


Finally, the ransomware will write the RSA encryption key that was used to encrypt a victim's files to the %UserProfile%\DecriptionInfo.auth file. This file will then be encrypted by a master encryption key that was bundled in the ransomware executable. This allows the developers to extract a victim's unique RSA key after they have paid a ransom.

IOCs

Hashes:

SHA256: 82cfb70e00f357065b68861e71f04b0af33d77fb63e72997b81c3c0402bf5c80

Files Associated with the Paradise Ransomware:
#DECRYPT MY FILES#.txt
%UserProfile%\Desktop\DecriptionInfo.auth
%UserProfile%\AppData\Local\Temp\desk.bmp
%UserProfile%\Failed.txt
%UserProfile%\Files.txt
 
Top