Paradise Ransomware
Posted: September 13, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 1,787 |
| First Seen: | September 13, 2017 |
|---|---|
| Last Seen: | December 7, 2021 |
| OS(es) Affected: | Windows |
The Paradise Ransomware is a file-locking Trojan that uses encryption to block content that can include documents, pictures, spreadsheets, and other formats associated with work or recreational media. Third-party con artists other than the Trojan's author may distribute it using various means, including RDP-based manual installations. Having recent backups of your files and anti-malware programs that could delete the Paradise Ransomware before it finishes locking any content are the best ways of keeping your PC safe.
A Trojan's Paradise in Black
New file-blocking Trojans are under analysis every day, but the majority of them are minor variants, often sharing most or almost all of the same code structure and payloads. It's rarer to see the birth of an entire, new family of Trojans, although just such a case is happening with the Paradise Ransomware. This Ransomware-as-a-Service (RaaS) Trojan is delivering RSA-based encryption attacks with the help of third-party, affiliated con artists who handle how to compromise your PC.
Server administrators who are verifiable victims of the Paradise Ransomware attacks are being breached by phishing or brute-force methods, after which, the threat actors installs their Trojan with the Remote Desktop feature. The Paradise Ransomware contains both some expected and semi-unique attributes, in comparison to the competing file-locker Trojans malware experts have analyzed, such as:
- The Paradise Ransomware does use the traditional method of encrypting media to lock it before encrypting the key to the original attack's decoding process. However, the Paradise Ransomware uses the RSA-1024 strictly instead of a combination of AES and RSA.
- The Paradise Ransomware will relaunch itself, if necessary, to guarantee that it runs with full admin privileges, thereby giving itself the highest level of file access possible.
- The Trojan also appends additional information to the names of any encrypted content in a format that's similar to that of the Globe Ransomware. The Paradise Ransomware inserts an ID for the victim, an affiliate con artist's ID and email (both in brackets), and the '.paradise' extension.
- Although the Paradise Ransomware's encryption routine is thorough and, therefore, relatively slow compared to competing threats, when it finishes, the Trojan hijacks the desktop's background and creates text-based ransom notes. Except for an unusual timing limit of thirty-six hours, the Paradise Ransomware uses traditional ransoming demands and asks for payment in Bitcoins to unlock your media. The pure black background image also is a text primarily and contains little information other than announcing the Paradise Ransomware's identity.
Malware experts can confirm that the Paradise Ransomware is not suitable for free decryption by third parties without further breakthroughs, such as a leaking of its key database.
Escaping Paradise without Paying the Toll
While the Paradise Ransomware doesn't display pop-ups or fake information during the encryption process, this feature does take significant time to complete its task and finish locking your files. Victims may be able to detect the Paradise Ransomware in the meantime with appropriate security software, or by noting the changes in data names or sizes. Since the Paradise Ransomware's encryption is unbreakable, backing up your content before an infection is the only definitive means of saving documents and related media.
RaaS Trojans similar to the Paradise Ransomware may install themselves with the manual help of a threat actor who gains previous access to a vulnerable network's login combinations. Other attacks may use spam emails or exploit kits (a website-based threat that uses browser-based vulnerabilities) to compromise the PC. Update your anti-malware programs and let them remove the Paradise Ransomware automatically, when possible, and abide by recommended password-managing strategies to lower the chances of remote attackers gaining control.
The ransom the Paradise Ransomware is asking for is left up to the affiliate con artists hiring this threat's services. With new Trojans extracting an unknown price from its victims, PC users not backing up their files are neglecting their media's storage at a cost that may be hundreds or even thousands of dollars.
Update Janury 3rd, 2019 — Seon Ransomware ver 0.1
The Seon Ransomware ver 0.1 is a file-encryption Trojan, whose aim is to encrypt files and make it impossible for the victims to access their contents. All the files encrypted by the Seon Ransomware ver 0.1 will have their names changed to include the ‘.FIXT’ extension. Removing the newly added extension will not make the files accessible again, and the only way to do this is to use an appropriate decryption tool paired with the unique decryption key generated for each separate victim. It appears that the authors of the Seon Ransomware ver 0.1 might be experimenting with different ransomware versions since malware researchers have identified another file-locker, which appears to be called ‘Seon Ransomware ver 0.2.’ The second version does not feature any major improvements regarding functionality, but it also uses a ‘.hta’ ransom note that includes additional email addresses for contact.
There is no accurate information regarding the methods used to propagate the Seon Ransomware ver 0.1 so that the best way to keep your computer protected would be to use a trustworthy and up-to-date anti-virus application. In addition to this security measure, the users also are advised to create backup copies of their important files and digital projects so that they would be able to use them in case the original files get encrypted or wiped by a cyberthreat.
When the Seon Ransomware ver 0.1 executes its attack, it will leave behind the file ‘YOUR_FILES_ARE_ENCRYPTED.txt,’ which includes a detailed ransom note that displays several e-mails for contact - kleomicro@gmail.com, kleomicro@dicksinhisan.us, nlandolforizzo2@gmail.com, landolforizzo@tiwno.gf and landolfrizzo@mailfence.com. The attackers do not specify the amount of money they want in exchange for the decryption of the victim’s files, but you can rest assured that the cost will not be small – ransomware authors often demand hundreds of dollars for their services.
If your computer has fallen victim to the attack of the Seon Ransomware ver 0.1, then we suggest that you disregard the instructions of the attackers, because it is unlikely that anything good will come out from working with cybercriminals. Instead, the victims of the Seon Ransomware ver 0.1 should use a trustworthy anti-virus program to dispose of the threat and then look into alternative data recovery techniques immediately.
Update January 7th, 2019 — 'alexbanan@tuta.io' Ransomware
The 'alexbanan@tuta.io' Ransomware is a new variation of the infamous Paradise Ransomware, a file-locker family that has been rather popular in 2018. Unfortunately, the files locked by the 'alexbanan@tuta.io' Ransomware are impossible to recover without the use of the decryption key that is unique for every victim, and the authors of the ransomware are the ones who have it.
Cyber-threats like the 'alexbanan@tuta.io' Ransomware are often propagated via cleverly disguised email messages that are made to look as if they contain important files or documents that the user must review immediately. However, instead of downloading a legitimate file, the target might end up downloading and launching a harmful file meant to deploy and execute the 'alexbanan@tuta.io' Ransomware’s payload.
When this file-locking Trojan is initialized, it may encrypt the contents of a broad range of file formats immediately, therefore making it impossible to access their contents. All the locked files will experience a small name change since the 'alexbanan@tuta.io' Ransomware will add the ‘_
The ransom message is delivered via a ‘.hta’ file, which reveals that the attackers are willing to decrypt up to three files free of charge and this can be arranged by messaging alexbanan@tuta.io. Unfortunately, the recovery of the rest of the files will not be free, and the authors of the ransomware might demand a hefty ransom payment in exchange for their services. We advise the victims of the 'alexbanan@tuta.io' Ransomware to remove the infected files with the use of a trustworthy antivirus product immediately, and then look into 3rd-party file recovery methods.
Update January 7th, 2019 — 'alexbanan@tuta.io' Ransomware
The 'alexbanan@tuta.io' Ransomware is a new variation of the infamous Paradise Ransomware, a file-locker family that has been rather popular in 2018. Unfortunately, the files locked by the 'alexbanan@tuta.io' Ransomware are impossible to recover without the use of the decryption key that is unique for every victim, and the authors of the ransomware are the ones who have it.
Cyber-threats like the 'alexbanan@tuta.io' Ransomware are often propagated via cleverly disguised email messages that are made to look as if they contain important files or documents that the user must review immediately. However, instead of downloading a legitimate file, the target might end up downloading and launching a harmful file meant to deploy and execute the 'alexbanan@tuta.io' Ransomware’s payload.
When this file-locking Trojan is initialized, it may encrypt the contents of a broad range of file formats immediately, therefore making it impossible to access their contents. All the locked files will experience a small name change since the 'alexbanan@tuta.io' Ransomware will add the ‘_
The ransom message is delivered via a ‘.hta’ file, which reveals that the attackers are willing to decrypt up to three files free of charge and this can be arranged by messaging alexbanan@tuta.io. Unfortunately, the recovery of the rest of the files will not be free, and the authors of the ransomware might demand a hefty ransom payment in exchange for their services. We advise the victims of the 'alexbanan@tuta.io' Ransomware to remove the infected files with the use of a trustworthy antivirus product immediately, and then look into 3rd-party file recovery methods.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8tBUerwbQCBA7MYZThoV4oGuOKN.exe
File name: 8tBUerwbQCBA7MYZThoV4oGuOKN.exeSize: 636.92 KB (636928 bytes)
MD5: a25cad303bd117999ef90678b14969be
Detection count: 703
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8tBUerwbQCBA7MYZThoV4oGuOKN.exe
Group: Malware file
Last Updated: July 15, 2020
%SYSTEMDRIVE%\Users\<username>\appdata\local\temp\b2ec.tmp.exe
File name: b2ec.tmp.exeSize: 145.92 KB (145920 bytes)
MD5: 7902fbf7c2c7d09290dc042a6c3e4ccc
Detection count: 616
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\local\temp\b2ec.tmp.exe
Group: Malware file
Last Updated: June 26, 2020
c:\Users\<username>\appdata\local\temp\53cc.tmp.exe
File name: 53cc.tmp.exeSize: 351.23 KB (351232 bytes)
MD5: 0f7e6c13bd84333001688893dc6c242e
Detection count: 40
File type: Executable File
Mime Type: unknown/exe
Path: c:\Users\<username>\appdata\local\temp
Group: Malware file
Last Updated: January 6, 2020
%SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bim2VdFPLn54stHVKgKJ.exe
File name: bim2VdFPLn54stHVKgKJ.exeSize: 158.72 KB (158720 bytes)
MD5: f26b38954b3558da7e9bb6566d396e81
Detection count: 19
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bim2VdFPLn54stHVKgKJ.exe
Group: Malware file
Last Updated: September 10, 2021
file.exe
File name: file.exeSize: 36.86 KB (36864 bytes)
MD5: 8aa00ee509a649619794fc1390319293
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: October 1, 2018