Published: 12/09/17 by Peter Bassill
We have received, and have started to see, incidents of the Paradise Ransomware in the wild. Paradise is not new and is distributed through a Ransomware as a Service model. At present, it is not decryptable without paying the ransom so ensuring your backups are up to date is, as ever, essential.
Presently it is unclear how Paradise is infecting machines but reported infection paths indicate that it may be via compromised Remote Desktop services. Once Paradise is executed it will escalate its privileges to operation with admin privileges and then it will generate a unique RSA-1024 but key. This is the key that will be used to encrypt all of the files on each drive on the system.
During the encryption process, Paradise will append the string id-[affiliate_id],[affiliate_email].paradise to the file name.
Once the encryption process is complete, it will create a ransom note named #DECRYPT MY FILES#.txt in each of the folders that a file was encrypted within. This ransom note will contain the affiliates email address and instructions on how to make a payment. Paradise will then extract an encoded wallpaper image and set it as the machines wallpaper.
Finally, the ransomware will write the RSA encryption key that was used to encrypt a victim’s files to the %UserProfile%\DecriptionInfo.auth file. This file will then be encrypted by a master encryption key that was bundled in the ransomware executable. This allows the developers to extract a victim’s unique RSA key after they have paid a ransom.
Detailed information can be found here: https://www.bleepingcomputer.com/news/security/paradise-ransomware-uses-rsa-encryption-to-encrypt-your-files/
10th Floor, 3 Hardman Street
1st Floor, 138a Main Street