Today, a victim of a new ransomware called Paradise posted in the BleepingComputer.com forums and uploaded a sample so we could take a look at it. While this ransomware is not revolutionary by any means, since it is in active distribution and a Ransomware as a Service (RaaS), I thought I would provide a brief analysis of how this ransomware works.

Unfortunately, the Paradise Ransomware is not decryptable without paying the ransom and affected users should attempt to recover files via alternate methods. To receive help or discuss this ransomware, you can use the dedicated Paradise Ransomware Support Topic.

Paradise Ransomware may be a Ransomware as a Service (RaaS)

The Paradise Ransomware appears to be a Ransomware as a Service or a RaaS. A RaaS is where a ransomware developer creates a ransomware, manages its development, and operates the Command and Control server in exchange for a small cut of all ransom payments made by victims. The job of the affiliate, who gets the rest of the ransom payment, is to distribyte the ransomware as they see fit.

At this time, emails associated with this RaaS are:

tankpolice@aolonline.top
edinstveniy_decoder@aol.com
info@decrypt.ws

How Paradise Ransomware Encrypts a Computer

At this time, it is not currently known how Paradise infects a computer, but from entries in the event log of an infected computer, it may be via hacked Remote Desktop services. Once executed, though, Paradise will relaunch itself in order to gain administrative privileges and then generate a unique RSA-1024 key. This key is then used to encrypt all of the files on each drive on the computer.

When encrypting a file it will append the string id-[affiliate_id].[affiliate_email].paradise to the file name. For example, a file named test.jpg would be encrypted test.jpgid-3VwVCmhU.[info@decrypt.ws].paradise.

Paradise Encrypted Folder
Paradise Encrypted Folder

As Paradise uses RSA encryption to encrypt a file, the encryption process is very slow, which hopefully allows a victim time to detect the encryption taking place and stop it.

When the ransomware has finished encrypting a computer, it will drop ransom notes named #DECRYPT MY FILES#.txt in folders that a file was encrypted. This ransom note will contain the affiliates email address and instructions on how to make the payment.

Paradise Ransomware Ransom Note
Paradise Ransomware Ransom Note

Paradise will then extract a base64 encoded wallpaper image and save it to the %Temp% folder as desk.bmp. The ransomware will then set this image as a victim's desktop background.

Paradise Ransomware Desktop Background
Paradise Ransomware Desktop Background

Finally, the ransomware will write the RSA encryption key that was used to encrypt a victim's files to the %UserProfile%\DecriptionInfo.auth file. This file will then be encrypted by a master encryption key that was bundled in the ransomware executable.  This allows the developers to extract a victim's unique RSA key after they have paid a ransom.

IOCs

Hashes:

SHA256: 82cfb70e00f357065b68861e71f04b0af33d77fb63e72997b81c3c0402bf5c80

Files Associated with the Paradise Ransomware:

#DECRYPT MY FILES#.txt
%UserProfile%\Desktop\DecriptionInfo.auth
%UserProfile%\AppData\Local\Temp\desk.bmp
%UserProfile%\Failed.txt
%UserProfile%\Files.txt

Paradise Ransomware Note Text:

[WHAT HAPPENED]

Your important files produced on this computer have been encrypted due a security problem
If you want to restore them, write us to the e-mail: info@decrypt.ws
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.

[FREE DECRYPTION AS GUARANTEE]

Before paying you can send to us up to 3 files for free decryption.
Please note that files must NOT contain valuable information
and their total size must be less than 1Mb
[HOW TO OBTAIN BITCOINS]
The easiest way to buy bitcoin is LocalBitcoins site.
You have to register, click Buy bitcoins and select the seller by payment method and price
https://localbitcoins.com/buy_bitcoins

[ATTENTION]

Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss
If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files

Associated Emails:

tankpolice@aolonline.top
edinstveniy_decoder@aol.com
info@decrypt.ws