Paradise Ransomware strikes again By MSP Threats Security Team Archived: 2026-04-05 14:15:10 UTC Paradise Ransomware hits again The Paradise ransomware that was active in September 2017 is back with a new round of attacks, starting at the beginning of January 2018. Leveraging the Ransomware as a Service (RaaS) model, the Paradise strain provides an unbreakable encryption scheme by using the RSA cipher for file encryption – which is an unusual cipher choice. The ransomware’s executable file is archived and spread via spam email as a zip attachment. To become infected, a user opens the attachment, unpacks it, and executes the extracted application. Static Analysis The ‘DP_Main.exe’ ransomware file is a .NET compiled executable and requires .NET Framework 3.5 to start on a user’s machine (MD5: 8aa00ee509a649619794fc1390319293). The PE file is 36,684 bytes and was compiled on January 5, 2018. Installation The malware copies itself to the following folder on a user’s computer: C:\Users\\AppData\Roaming\DP\ The executable adds the reference to itself in the Autorun Windows registry key as the following value: ‘DP_Main’ = ‘c:\Users\\AppData\Roaming\DP\DP_Main.exe’ Paradise Ransomware Installation Key generation The ransomware creates ‘DecryptionInfo.auth’ file in the following folders: %USER%\ %USER%\Desktop\  Program Files\ The key file contains the session RSA private key in the XML format, encrypted with the master RSA public key and Base64 encoded: Paradise Ransomware - Key generation Paradise Ransomware - Key generation 2 The master RSA 1024-bit public key is hard coded in Base64: Modulus>um4QYAdi0y8L+VKslAr8ggHzi8DrREUDbluQtNuKZ3A9PBYJZ+6z3ngqt9HmhnvRxp1SKrmlt+eQwkrGAOB0K+iiz5qNSSyy AQAB File encryption The Paradise ransomware encrypts ALL files on fixed, removable, and network drives. It filters out the folders that contain the following strings: windows firefox opera chrome google The Application Data folder where the cryptolocker lives The cryptolocker does not encrypt the files that contain the following strings: .paradise #DECRYPT MY FILES#.html Id.dp DecryptionInfo.auth https://www.acronis.com/en-us/blog/posts/paradise-ransomware-strikes-again Page 1 of 3 It first encrypts the files in any folders that contain the following strings: mysql firebird mssql microsoft sql backup The cryptolocker renames a file adding the following suffix:  “[id-].[AFFILIATE_EMAIL].paradise” For example: file.exe[id-iO3mBQGY].[paradise@all-ransomware.info].paradise Paradise uses the RSA cipher, and the generated session key pairs to the encrypt file’s content, divided in blocks of 547 bytes. Paradise Ransomware - encryption Communication Once the encryption is completed, the malicious process sends a notification request to the remote server. The sent data includes: The number of encrypted files The computer’s name Elapsed time Decryption info The computer’s ID Paradise Ransomware - remote notification Analyzed versions of the ransomware connect to ‘localhost’ only. The ransomware config contains ‘localhost’ as the C&C server, which could mean that either the feature was deprecated or setting the server data in config was forgotten. Backup removal Paradise silently deletes Windows shadow copies, like many other ransomware variants currently in the wild: Paradise Ransomware - backup removal Ransom note In every folder, the cryptolocker leaves the ransom note ‘#DECRYPT MY FILES#.html’ Paradise Ransom Note 2 Paradise Ransom Note Decryption service The ransom note includes a contact email address: paradise@all-ransomware.info The user can send up to three files with non-sensitive information – together with the ID and personal RSA key – to this email address to test the decryption service. Each file should be less than 1 MB in size. One of the files will be decrypted as proof that decryption is possible. The ransom value will be set in bitcoin and can vary based on when the user replies or the number of encrypted files. The domain ‘all-ransomware.info’ has roots on Russia, according to WhoIs data: Paradise Ransomware - domain The server is geographically located in St Petersburg. Paradise Ransomware - location Conclusion There is no way to restore encrypted files other than to pay a ransom. The files are encrypted using a session public RSA key and require session private RSA key, which is encrypted along with the master public RSA key. The session RSA private key https://www.acronis.com/en-us/blog/posts/paradise-ransomware-strikes-again Page 2 of 3 can be decrypted only with the master private RSA key, which is held by the criminals. The only free alternative that is recommend is to restore files from backup, if available, after the infected computer has been cleaned. Acronis True Image detects and blocks Paradise as well Rather than waiting to react after Paradise encrypts your files, you can use Acronis True Image 2018 and our other products with Acronis Active Protection enabled to detect and stop Paradise ransomware. You’ll also be able to restore any affected files in matter of seconds. Ransomware detected by Acronis Acronis restores files Source: https://www.acronis.com/en-us/blog/posts/paradise-ransomware-strikes-again https://www.acronis.com/en-us/blog/posts/paradise-ransomware-strikes-again Page 3 of 3