Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Paradise Ransomware Help & Support Topic - .Paradise & #DECRYPT MY FILES#.txt


  • Please log in to reply
11 replies to this topic

#1 gschuck

gschuck

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 11 September 2017 - 11:30 AM

A client of mine was hit with something that encrypted almost all the files on the data volume (drive D:) of their computer with .paradise as an extension.  The C: drive was not affected  I have had no luck searching for information.

 

I found a program named DP_Main.exe and two text files, all dated and timestamped around the time the encryption occurred.  I have cleaned up the computer and restored almost all the encrypted data from backups, but it seems some of the backups were partially encrypted.  There is a folder that has 15GB of data that I could not restore from the backups.  I am hoping someone can figure out the encryption used and can create a decryptor.

 

The encryption process started running and seemed to abruptly end after about 4.5 hours.  I think this to be true because only some of the backup drive was encrypted and there is no text file in any of the folders that says what happened or who to contact to get the files decrypted.  I tried the ID Ransomware site, but since there is no text file about who to contact, it could not help me.

 

I have 2 zip files with 11 file samples from before and after the encryption, as well as the DP_Main.exe, which I can provide to help.

 

Thank you for your timely assistance.



BC AdBot (Login to Remove)

 


m

#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:57 AM

Posted 11 September 2017 - 12:42 PM

Seems like this may be new. Do you have a ransom note?

 

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button. It's best to compress large files before sharing.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 gschuck

gschuck
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 11 September 2017 - 01:00 PM

I have just submitted a zip file with 11 encrypted files (Encrypted_PARADISE.zip).  I made a second file submission that is the suspected program that did the encrypting (DP_Main.exe).  I also have a zip file with the same 11 data files before they were encrypted, which I can submit if it would be helpful.



#4 gschuck

gschuck
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 11 September 2017 - 01:01 PM

There was no ransom note in any of the encrypted folders or on the screen.



#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:57 PM

Posted 11 September 2017 - 01:11 PM

Thanks. We received the sample and will take alook.

#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:57 PM

Posted 11 September 2017 - 01:59 PM

I'm afraid it is secure, and cannot be decrypted.

 

The reason it did not give you a ransom note, is it probably didn't finish. It attacks local files first then share drives, then drops the ransom note when finished. It is stupid slow, because it directly encrypts files with RSA-1024. It generates an RSA key per victim, then encrypts that with a public key it has embedded.

 

It was supposed to drop this note.

 

#DECRYPT MY FILES#.txt

 

 

 

[WHAT HAPPENED]Your important files produced on this computer have been encrypted due a security problem<br>If you want to restore them, write us to the e-mail: info@decrypt.ws<br>You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.<br>After payment we will send you the decryption tool that will decrypt all your files.<br><br>[FREE DECRYPTION AS GUARANTEE]<br><br>Before paying you can send to us up to 3 files for free decryption.<br>Please note that files must NOT contain valuable information<br>and their total size must be less than 1Mb<br>[HOW TO OBTAIN BITCOINS]<br>The easiest way to buy bitcoin is LocalBitcoins site.<br>You have to register, click Buy bitcoins and select the seller by payment method and price<br>https://localbitcoins.com/buy_bitcoins<br><br>[ATTENTION]<br><br>Do not rename encrypted files<br>Do not try to decrypt your data using third party software, it may cause permanent data loss<br>If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 kukumber

kukumber

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 10 October 2017 - 03:05 PM

I e-mailed the attacker and they responded asking for a file named DecryptionInfo.auth. I can't find this file anywhere. Does anyone know what file this is and where it could be?


Edited by kukumber, 10 October 2017 - 03:07 PM.


#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:57 PM

Posted 10 October 2017 - 06:59 PM

I don't recall seeing that file referenced in the code, but I'll see if I can take a second look tomorrow.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 kukumber

kukumber

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 10 October 2017 - 07:06 PM

Thank you Demonslay335


Edited by kukumber, 10 October 2017 - 07:06 PM.


#10 Amigo-A

Amigo-A

  • Members
  • 209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:57 AM

Posted 11 October 2017 - 12:47 AM

kukumber

%UserProfile%\Desktop\DecriptionInfo.auth 

Edited by Amigo-A, 11 October 2017 - 01:02 AM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#11 kukumber

kukumber

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 11 October 2017 - 06:49 AM

 

Thanks Amigo-A. For some reason I do not have this file on any of my affected devices. Is there a reason for that?


Edited by kukumber, 11 October 2017 - 06:49 AM.


#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:57 PM

Posted 12 October 2017 - 03:29 PM

Wouldn't surprise me if it bugged out or something, it does take forever to encrypt files and could have been stopped by something.

 

The article actually states "%UserProfile%\DecriptionInfo.auth" in the text, perhaps look there? I haven't had time to look back at the malware to see when it drops that file.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users