Home Malware Programs Ransomware Parad1gm Ransomware

Parad1gm Ransomware

Posted: December 30, 2019

The Parad1gm Ransomware is a file-locking Trojan whose ancestry includes similar software, such as the DoppelPaymer Ransomware and the BitPaymer Ransomware. The Parad1gm Ransomware can, like its ancestors, stop files on your computer from opening by encrypting them, and does so with the motivation of selling the decryption service to victims. Users should save backups securely for preventing this extortion and use anti-malware utilities for deleting the Parad1gm Ransomware as soon as possible.

The BitPaymer Ransomware's Son Expects You to Pay More

The Parad1gm Ransomware is an unexpected recurrence of an old, file-locking Trojan whose line began with the BitPaymer Ransomware in 2017: a Trojan that pretended to be part of Microsoft software while it injected itself into memory processes and locked files. The first variant of it that malware experts confirmed in the wild was the DoppelPaymer Ransomware, but now, a second update is appearing. The Parad1gm Ransomware remains an imposter of Microsoft programs, presumably, as the most believable disguise while it conducts its unsafe activities.

The Parad1gm Ransomware is identifiable by most threat-detecting security programs, although it usually receives a generic ID flag. As a 32-bit Windows program, it's compatible with most Windows environments, which it infects for locking files through an AES and RSA encryption routine. One of the few differences it has from old versions of the BitPaymer Ransomware is the extension it adds for showing what's locked – a 'parad1gm' string that's unique to this campaign.

Besides blocking content, the Parad1gm Ransomware also modifies Registry Intranet settings. Such an attack has multiple applications: for making Web surfers more vulnerable to unsafe website content, redirecting them towards phishing sites, or blocking security sites like Microsoft's domain. Finally, the Parad1gm Ransomware also has a text ransom note that offers an e-mail for negotiating and a self-deletion feature, although users shouldn't depend on the latter for safety.

Bucking Off the Paradigm of a Trojan's Profits

Some portions of the Parad1gm Ransomware's payload suggest that the Trojan's campaign is targeting vulnerable business networks. In these cases, e-mail is a very probable infection vector and can use attachments pretending that they're invoices, office equipment notifications or resumes. Enabling macros or using outdated software can encourage the abuse of vulnerabilities that lead to drive-by-downloads from such a 'document,' and malware experts discourage these practices whenever possible.

As noted above, the Parad1gm Ransomware does attempt self-removal, which could cover its tracks and remove evidence that would come under analysis by the security industry. However, alert users may note the presence of unwanted 'ActiveX' components related to this Trojan. Although the threat actors aren't investing in a digital signature, the acquisition of which can be difficult, the Parad1gm Ransomware uses typically-disingenuous file descriptors along with inserting itself into other memory processes.

Professional anti-malware programs will remove the Parad1gm Ransomware in most cases automatically, although there is room for improvement of industry-wide detection rates. Victims can offer samples to interested researchers and update their security software for improving identification chances.

The Parad1gm Ransomware's most obvious attacks are evident as soon as someone tries to open a document with its unusual extension. However, a Trojan of this line also represents a less-visible risk to browser security and accessibility, and victims should remember that what one sees a Trojan do isn't all that it's capable of doing.

Loading...