Paradise Ransomware

The Paradise Ransomware is a file-locking Trojan that uses encryption to block content that can include documents, pictures, spreadsheets, and other formats associated with work or recreational media. Third-party con artists other than the Trojan's author may distribute it using various means, including RDP-based manual installations. Having recent backups of your files and anti-malware programs that could delete the Paradise Ransomware before it finishes locking any content are the best ways of keeping your PC safe.

A Trojan's Paradise in Black

New file-blocking Trojans are under analysis every day, but the majority of them are minor variants, often sharing most or almost all of the same code structure and payloads. It's rarer to see the birth of an entire, new family of Trojans, although just such a case is happening with the Paradise Ransomware. This Ransomware-as-a-Service (RaaS) Trojan is delivering RSA-based encryption attacks with the help of third-party, affiliated con artists who handle how to compromise your PC.

Server administrators who are verifiable victims of the Paradise Ransomware attacks are being breached by phishing or brute-force methods, after which, the threat actors installs their Trojan with the Remote Desktop feature. The Paradise Ransomware contains both some expected and semi-unique attributes, in comparison to the competing file-locker Trojans malware experts have analyzed, such as:

• The Paradise Ransomware does use the traditional method of encrypting media to lock it before encrypting the key to the original attack's decoding process. However, the Paradise Ransomware uses the RSA-1024 strictly instead of a combination of AES and RSA.
• The Paradise Ransomware will relaunch itself, if necessary, to guarantee that it runs with full admin privileges, thereby giving itself the highest level of file access possible.
• The Trojan also appends additional information to the names of any encrypted content in a format that's similar to that of the Globe Ransomware. The Paradise Ransomware inserts an ID for the victim, an affiliate con artist's ID and email (both in brackets), and the '.paradise' extension.
• Although the Paradise Ransomware's encryption routine is thorough and, therefore, relatively slow compared to competing threats, when it finishes, the Trojan hijacks the desktop's background and creates text-based ransom notes. Except for an unusual timing limit of thirty-six hours, the Paradise Ransomware uses traditional ransoming demands and asks for payment in Bitcoins to unlock your media. The pure black background image also is a text primarily and contains little information other than announcing the Paradise Ransomware's identity.

Malware experts can confirm that the Paradise Ransomware is not suitable for free decryption by third parties without further breakthroughs, such as a leaking of its key database.

Escaping Paradise without Paying the Toll

While the Paradise Ransomware doesn't display pop-ups or fake information during the encryption process, this feature does take significant time to complete its task and finish locking your files. Victims may be able to detect the Paradise Ransomware in the meantime with appropriate security software, or by noting the changes in data names or sizes. Since the Paradise Ransomware's encryption is unbreakable, backing up your content before an infection is the only definitive means of saving documents and related media.

RaaS Trojans similar to the Paradise Ransomware may install themselves with the manual help of a threat actor who gains previous access to a vulnerable network's login combinations. Other attacks may use spam emails or exploit kits (a website-based threat that uses browser-based vulnerabilities) to compromise the PC. Update your anti-malware programs and let them remove the Paradise Ransomware automatically, when possible, and abide by recommended password-managing strategies to lower the chances of remote attackers gaining control.

The ransom the Paradise Ransomware is asking for is left up to the affiliate con artists hiring this threat's services. With new Trojans extracting an unknown price from its victims, PC users not backing up their files are neglecting their media's storage at a cost that may be hundreds or even thousands of dollars.

Update Janury 3rd, 2019 — Seon Ransomware ver 0.1

The Seon Ransomware ver 0.1 is a file-encryption Trojan, whose aim is to encrypt files and make it impossible for the victims to access their contents. All the files encrypted by the Seon Ransomware ver 0.1 will have their names changed to include the ‘.FIXT’ extension. Removing the newly added extension will not make the files accessible again, and the only way to do this is to use an appropriate decryption tool paired with the unique decryption key generated for each separate victim. It appears that the authors of the Seon Ransomware ver 0.1 might be experimenting with different ransomware versions since malware researchers have identified another file-locker, which appears to be called ‘Seon Ransomware ver 0.2.’ The second version does not feature any major improvements regarding functionality, but it also uses a ‘.hta’ ransom note that includes additional email addresses for contact.

There is no accurate information regarding the methods used to propagate the Seon Ransomware ver 0.1 so that the best way to keep your computer protected would be to use a trustworthy and up-to-date anti-virus application. In addition to this security measure, the users also are advised to create backup copies of their important files and digital projects so that they would be able to use them in case the original files get encrypted or wiped by a cyberthreat.

When the Seon Ransomware ver 0.1 executes its attack, it will leave behind the file ‘YOUR_FILES_ARE_ENCRYPTED.txt,’ which includes a detailed ransom note that displays several e-mails for contact - kleomicro@gmail.com, kleomicro@dicksinhisan.us, nlandolforizzo2@gmail.com, landolforizzo@tiwno.gf and landolfrizzo@mailfence.com. The attackers do not specify the amount of money they want in exchange for the decryption of the victim’s files, but you can rest assured that the cost will not be small – ransomware authors often demand hundreds of dollars for their services.

If your computer has fallen victim to the attack of the Seon Ransomware ver 0.1, then we suggest that you disregard the instructions of the attackers, because it is unlikely that anything good will come out from working with cybercriminals. Instead, the victims of the Seon Ransomware ver 0.1 should use a trustworthy anti-virus program to dispose of the threat and then look into alternative data recovery techniques immediately.

Update January 7th, 2019 — 'alexbanan@tuta.io' Ransomware

The 'alexbanan@tuta.io' Ransomware is a new variation of the infamous Paradise Ransomware, a file-locker family that has been rather popular in 2018. Unfortunately, the files locked by the 'alexbanan@tuta.io' Ransomware are impossible to recover without the use of the decryption key that is unique for every victim, and the authors of the ransomware are the ones who have it.

Cyber-threats like the 'alexbanan@tuta.io' Ransomware are often propagated via cleverly disguised email messages that are made to look as if they contain important files or documents that the user must review immediately. However, instead of downloading a legitimate file, the target might end up downloading and launching a harmful file meant to deploy and execute the 'alexbanan@tuta.io' Ransomware’s payload.

When this file-locking Trojan is initialized, it may encrypt the contents of a broad range of file formats immediately, therefore making it impossible to access their contents. All the locked files will experience a small name change since the 'alexbanan@tuta.io' Ransomware will add the ‘__{alexbanan@tuta.io}.CORP’ extension to their names.

The ransom message is delivered via a ‘.hta’ file, which reveals that the attackers are willing to decrypt up to three files free of charge and this can be arranged by messaging alexbanan@tuta.io. Unfortunately, the recovery of the rest of the files will not be free, and the authors of the ransomware might demand a hefty ransom payment in exchange for their services. We advise the victims of the 'alexbanan@tuta.io' Ransomware to remove the infected files with the use of a trustworthy antivirus product immediately, and then look into 3rd-party file recovery methods.

Update January 7th, 2019 — 'alexbanan@tuta.io' Ransomware

The 'alexbanan@tuta.io' Ransomware is a new variation of the infamous Paradise Ransomware, a file-locker family that has been rather popular in 2018. Unfortunately, the files locked by the 'alexbanan@tuta.io' Ransomware are impossible to recover without the use of the decryption key that is unique for every victim, and the authors of the ransomware are the ones who have it.

Cyber-threats like the 'alexbanan@tuta.io' Ransomware are often propagated via cleverly disguised email messages that are made to look as if they contain important files or documents that the user must review immediately. However, instead of downloading a legitimate file, the target might end up downloading and launching a harmful file meant to deploy and execute the 'alexbanan@tuta.io' Ransomware’s payload.

When this file-locking Trojan is initialized, it may encrypt the contents of a broad range of file formats immediately, therefore making it impossible to access their contents. All the locked files will experience a small name change since the 'alexbanan@tuta.io' Ransomware will add the ‘__{alexbanan@tuta.io}.CORP’ extension to their names.

The ransom message is delivered via a ‘.hta’ file, which reveals that the attackers are willing to decrypt up to three files free of charge and this can be arranged by messaging alexbanan@tuta.io. Unfortunately, the recovery of the rest of the files will not be free, and the authors of the ransomware might demand a hefty ransom payment in exchange for their services. We advise the victims of the 'alexbanan@tuta.io' Ransomware to remove the infected files with the use of a trustworthy antivirus product immediately, and then look into 3rd-party file recovery methods.

Technical Details