Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Paradise Ransomware Help & Support Topic - .Paradise & #DECRYPT MY FILES#.txt


  • Please log in to reply
15 replies to this topic

#1 gschuck

gschuck

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 11 September 2017 - 11:30 AM

A client of mine was hit with something that encrypted almost all the files on the data volume (drive D:) of their computer with .paradise as an extension.  The C: drive was not affected  I have had no luck searching for information.

 

I found a program named DP_Main.exe and two text files, all dated and timestamped around the time the encryption occurred.  I have cleaned up the computer and restored almost all the encrypted data from backups, but it seems some of the backups were partially encrypted.  There is a folder that has 15GB of data that I could not restore from the backups.  I am hoping someone can figure out the encryption used and can create a decryptor.

 

The encryption process started running and seemed to abruptly end after about 4.5 hours.  I think this to be true because only some of the backup drive was encrypted and there is no text file in any of the folders that says what happened or who to contact to get the files decrypted.  I tried the ID Ransomware site, but since there is no text file about who to contact, it could not help me.

 

I have 2 zip files with 11 file samples from before and after the encryption, as well as the DP_Main.exe, which I can provide to help.

 

Thank you for your timely assistance.



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,071 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:28 AM

Posted 11 September 2017 - 12:42 PM

Seems like this may be new. Do you have a ransom note?

 

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button. It's best to compress large files before sharing.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 gschuck

gschuck
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 11 September 2017 - 01:00 PM

I have just submitted a zip file with 11 encrypted files (Encrypted_PARADISE.zip).  I made a second file submission that is the suspected program that did the encrypting (DP_Main.exe).  I also have a zip file with the same 11 data files before they were encrypted, which I can submit if it would be helpful.



#4 gschuck

gschuck
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 11 September 2017 - 01:01 PM

There was no ransom note in any of the encrypted folders or on the screen.



#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,572 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:28 AM

Posted 11 September 2017 - 01:11 PM

Thanks. We received the sample and will take alook.

#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:28 AM

Posted 11 September 2017 - 01:59 PM

I'm afraid it is secure, and cannot be decrypted.

 

The reason it did not give you a ransom note, is it probably didn't finish. It attacks local files first then share drives, then drops the ransom note when finished. It is stupid slow, because it directly encrypts files with RSA-1024. It generates an RSA key per victim, then encrypts that with a public key it has embedded.

 

It was supposed to drop this note.

 

#DECRYPT MY FILES#.txt

 

 

 

[WHAT HAPPENED]Your important files produced on this computer have been encrypted due a security problem<br>If you want to restore them, write us to the e-mail: info@decrypt.ws<br>You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.<br>After payment we will send you the decryption tool that will decrypt all your files.<br><br>[FREE DECRYPTION AS GUARANTEE]<br><br>Before paying you can send to us up to 3 files for free decryption.<br>Please note that files must NOT contain valuable information<br>and their total size must be less than 1Mb<br>[HOW TO OBTAIN BITCOINS]<br>The easiest way to buy bitcoin is LocalBitcoins site.<br>You have to register, click Buy bitcoins and select the seller by payment method and price<br>https://localbitcoins.com/buy_bitcoins<br><br>[ATTENTION]<br><br>Do not rename encrypted files<br>Do not try to decrypt your data using third party software, it may cause permanent data loss<br>If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 kukumber

kukumber

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 10 October 2017 - 03:05 PM

I e-mailed the attacker and they responded asking for a file named DecryptionInfo.auth. I can't find this file anywhere. Does anyone know what file this is and where it could be?


Edited by kukumber, 10 October 2017 - 03:07 PM.


#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:28 AM

Posted 10 October 2017 - 06:59 PM

I don't recall seeing that file referenced in the code, but I'll see if I can take a second look tomorrow.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 kukumber

kukumber

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 10 October 2017 - 07:06 PM

Thank you Demonslay335


Edited by kukumber, 10 October 2017 - 07:06 PM.


#10 Amigo-A

Amigo-A

  • Members
  • 511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:03:28 PM

Posted 11 October 2017 - 12:47 AM

kukumber

%UserProfile%\Desktop\DecriptionInfo.auth 

Edited by Amigo-A, 11 October 2017 - 01:02 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#11 kukumber

kukumber

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 11 October 2017 - 06:49 AM

 

Thanks Amigo-A. For some reason I do not have this file on any of my affected devices. Is there a reason for that?


Edited by kukumber, 11 October 2017 - 06:49 AM.


#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:28 AM

Posted 12 October 2017 - 03:29 PM

Wouldn't surprise me if it bugged out or something, it does take forever to encrypt files and could have been stopped by something.

 

The article actually states "%UserProfile%\DecriptionInfo.auth" in the text, perhaps look there? I haven't had time to look back at the malware to see when it drops that file.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 iwan1davies

iwan1davies

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 14 November 2017 - 06:57 AM

A client of mine has also been hit by this ransomware but this is what happened with us, what it looks like from the logs: A user account password was brute forced using RDP (Windows 7 machine fully patched), once they gained access they brute forced the admin accounts and logged into the DC. They proceeded to change random users passwords in Active Directory and then started searching for files with the keyword 'password' (Luckily they wouldn't have found anything). They then disabled the anti virus and removed backup sets from our cloud based backup solution. The paradise ransomware was then downloaded and run and encrypted 5 important folders which contained about 20GB of files (these were the ones removed from backup). This all happened over a time period of approx 4 hours and they also tried to brute force this clients online banking etc.

 

We're currently trying to use file recovery software to try getting back as many files as possible.



#14 Malcolm30

Malcolm30

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 27 November 2017 - 09:37 PM

I received a call from an office that has been hit with the Paradise ransomware. The #DECRYPT MY FILES#.txt file actually has a line that says "Encrypted Key" with a 1368 character string after it. Any ideas on if they messed up and actually provided the key to decrypt the files and how to use it?



#15 chineyman86

chineyman86

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 02 January 2018 - 02:41 PM

Just got hit with this paradise ransomware too. 

 

There are a few differences though, the #DECRYPT MY FILES# file is html and not a txt. In that html page, it shows "Your personal KEY". Does anybody know what decryptor/program I could use with this "personal key" to see if I can decrypt my files?

 

Email contact for shows paradise@all-ransomware.info

 

Anybody had any luck with getting their files back?

 

Other files on the desktop:

DecryptionInfo.auth

DP_Main.exe

id.dp


Edited by chineyman86, 02 January 2018 - 02:52 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users