Back to posts

Published: 12/09/17 by Peter Bassill

Paradise Ransomware Update

We have received, and have started to see, incidents of the Paradise Ransomware in the wild. Paradise is not new and is distributed through a Ransomware as a Service model. At present, it is not decryptable without paying the ransom so ensuring your backups are up to date is, as ever, essential.

Infection Path

Presently it is unclear how Paradise is infecting machines but reported infection paths indicate that it may be via compromised Remote Desktop services. Once Paradise is executed it will escalate its privileges to operation with admin privileges and then it will generate a unique RSA-1024 but key. This is the key that will be used to encrypt all of the files on each drive on the system.

During the encryption process, Paradise will append the string id-[affiliate_id],[affiliate_email].paradise to the file name.

Once the encryption process is complete, it will create a ransom note named #DECRYPT MY FILES#.txt in each of the folders that a file was encrypted within. This ransom note will contain the affiliates email address and instructions on how to make a payment. Paradise will then extract an encoded wallpaper image and set it as the machines wallpaper.

Finally, the ransomware will write the RSA encryption key that was used to encrypt a victim’s files to the %UserProfile%\DecriptionInfo.auth file. This file will then be encrypted by a master encryption key that was bundled in the ransomware executable.  This allows the developers to extract a victim’s unique RSA key after they have paid a ransom.

Detailed information can be found here:

Let's get in touch

Send us a message
Call us

UK Office

Tel: 0161 850 0454

10th Floor, 3 Hardman Street
Spinningfields, Manchester
M3 3HF

Gibraltar Office

Tel: 540 65558

1st Floor, 138a Main Street
GX11 1AA