{
	"id": "861f8558-4258-4f03-a2c9-b756d0a216f7",
	"created_at": "2026-04-06T00:09:05.280815Z",
	"updated_at": "2026-04-10T03:20:28.579562Z",
	"deleted_at": null,
	"sha1_hash": "5debf70c9900b560c18b570a650249953e0c00c2",
	"title": "Paradise Ransomware strikes again",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 60829,
	"plain_text": "Paradise Ransomware strikes again\r\nBy MSP Threats Security Team\r\nArchived: 2026-04-05 14:15:10 UTC\r\nParadise Ransomware hits again\r\nThe Paradise ransomware that was active in September 2017 is back with a new round of attacks, starting at the beginning of\r\nJanuary 2018. Leveraging the Ransomware as a Service (RaaS) model, the Paradise strain provides an unbreakable\r\nencryption scheme by using the RSA cipher for file encryption – which is an unusual cipher choice.\r\nThe ransomware’s executable file is archived and spread via spam email as a zip attachment. To become infected, a user\r\nopens the attachment, unpacks it, and executes the extracted application.\r\nStatic Analysis\r\nThe ‘DP_Main.exe’ ransomware file is a .NET compiled executable and requires .NET Framework 3.5 to start on a user’s\r\nmachine (MD5: 8aa00ee509a649619794fc1390319293). The PE file is 36,684 bytes and was compiled on January 5, 2018.\r\nInstallation\r\nThe malware copies itself to the following folder on a user’s computer:\r\nC:\\Users\\\u003cUSER\u003e\\AppData\\Roaming\\DP\\\r\nThe executable adds the reference to itself in the Autorun Windows registry key as the following value:\r\n‘DP_Main’ = ‘c:\\Users\\\u003cUSER\u003e\\AppData\\Roaming\\DP\\DP_Main.exe’\r\nParadise Ransomware Installation\r\nKey generation\r\nThe ransomware creates ‘DecryptionInfo.auth’ file in the following folders:\r\n%USER%\\\r\n%USER%\\Desktop\\\r\n Program Files\\\r\nThe key file contains the session RSA private key in the XML format, encrypted with the master RSA public key and\r\nBase64 encoded:\r\nParadise Ransomware - Key generation\r\nParadise Ransomware - Key generation 2\r\nThe master RSA 1024-bit public key is hard coded in Base64:\r\n\u003cRSAKeyValue\u003eModulus\u003eum4QYAdi0y8L+VKslAr8ggHzi8DrREUDbluQtNuKZ3A9PBYJZ+6z3ngqt9HmhnvRxp1SKrmlt+eQwkrGAOB0K+iiz5qNSSyy\r\n\u003c/Modulus\u003e\u003cExponent\u003eAQAB\u003c/Exponent\u003e\u003c/RSAKeyValue\u003e\r\nFile encryption\r\nThe Paradise ransomware encrypts ALL files on fixed, removable, and network drives.\r\nIt filters out the folders that contain the following strings:\r\nwindows\r\nfirefox\r\nopera\r\nchrome\r\ngoogle\r\nThe Application Data folder where the cryptolocker lives\r\nThe cryptolocker does not encrypt the files that contain the following strings:\r\n.paradise\r\n#DECRYPT MY FILES#.html\r\nId.dp\r\nDecryptionInfo.auth\r\nhttps://www.acronis.com/en-us/blog/posts/paradise-ransomware-strikes-again\r\nPage 1 of 3\n\nIt first encrypts the files in any folders that contain the following strings:\r\nmysql\r\nfirebird\r\nmssql\r\nmicrosoft sql\r\nbackup\r\nThe cryptolocker renames a file adding the following suffix:  “[id-\u003cUSER_ID\u003e].[AFFILIATE_EMAIL].paradise”\r\nFor example:\r\nfile.exe[id-iO3mBQGY].[paradise@all-ransomware.info].paradise\r\nParadise uses the RSA cipher, and the generated session key pairs to the encrypt file’s content, divided in blocks of 547\r\nbytes.\r\nParadise Ransomware - encryption\r\nCommunication\r\nOnce the encryption is completed, the malicious process sends a notification request to the remote server.\r\nThe sent data includes:\r\nThe number of encrypted files\r\nThe computer’s name\r\nElapsed time\r\nDecryption info\r\nThe computer’s ID\r\nParadise Ransomware - remote notification\r\nAnalyzed versions of the ransomware connect to ‘localhost’ only. The ransomware config contains ‘localhost’ as the C\u0026C\r\nserver, which could mean that either the feature was deprecated or setting the server data in config was forgotten.\r\nBackup removal\r\nParadise silently deletes Windows shadow copies, like many other ransomware variants currently in the wild:\r\nParadise Ransomware - backup removal\r\nRansom note\r\nIn every folder, the cryptolocker leaves the ransom note ‘#DECRYPT MY FILES#.html’\r\nParadise Ransom Note 2\r\nParadise Ransom Note\r\nDecryption service\r\nThe ransom note includes a contact email address:\r\nparadise@all-ransomware.info\r\nThe user can send up to three files with non-sensitive information – together with the ID and personal RSA key – to this\r\nemail address to test the decryption service. Each file should be less than 1 MB in size. One of the files will be decrypted as\r\nproof that decryption is possible. The ransom value will be set in bitcoin and can vary based on when the user replies or the\r\nnumber of encrypted files.\r\nThe domain ‘all-ransomware.info’ has roots on Russia, according to WhoIs data:\r\nParadise Ransomware - domain\r\nThe server is geographically located in St Petersburg.\r\nParadise Ransomware - location\r\nConclusion\r\nThere is no way to restore encrypted files other than to pay a ransom. The files are encrypted using a session public RSA key\r\nand require session private RSA key, which is encrypted along with the master public RSA key. The session RSA private key\r\nhttps://www.acronis.com/en-us/blog/posts/paradise-ransomware-strikes-again\r\nPage 2 of 3\n\ncan be decrypted only with the master private RSA key, which is held by the criminals.\r\nThe only free alternative that is recommend is to restore files from backup, if available, after the infected computer has been\r\ncleaned.\r\nAcronis True Image detects and blocks Paradise as well\r\nRather than waiting to react after Paradise encrypts your files, you can use Acronis True Image 2018 and our other products\r\nwith Acronis Active Protection enabled to detect and stop Paradise ransomware. You’ll also be able to restore any affected\r\nfiles in matter of seconds.\r\nRansomware detected by Acronis\r\nAcronis restores files\r\nSource: https://www.acronis.com/en-us/blog/posts/paradise-ransomware-strikes-again\r\nhttps://www.acronis.com/en-us/blog/posts/paradise-ransomware-strikes-again\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.acronis.com/en-us/blog/posts/paradise-ransomware-strikes-again"
	],
	"report_names": [
		"paradise-ransomware-strikes-again"
	],
	"threat_actors": [],
	"ts_created_at": 1775434145,
	"ts_updated_at": 1775791228,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5debf70c9900b560c18b570a650249953e0c00c2.pdf",
		"text": "https://archive.orkl.eu/5debf70c9900b560c18b570a650249953e0c00c2.txt",
		"img": "https://archive.orkl.eu/5debf70c9900b560c18b570a650249953e0c00c2.jpg"
	}
}