# Paradise Ransomware: The Builder **[marcoramilli.com/2021/08/23/paradise-ransomware-the-builder/](https://marcoramilli.com/2021/08/23/paradise-ransomware-the-builder/)** View all posts by marcoramilli August 23, 2021 The ransomware builders remind me old times, where Nukes and Exploiters were freely available on the underground communities, when few clicks were enough to bypass many AV vendors and attackers were activists or single people challenging the system. Nowadays the way the “builders” are developed and the way the criminality is abusing them to generate new Malware is a lot more sophisticated compared to 20 years ago during the romantic “hacking for fun” era. The impact of such a Malware in the contemporary society is something that needs high attention since the digitization approaching the entire world. For such a reasons I believe it would be interesting to study, when possible and when available, how Ransomware Builder have been developed. The main attentions nowadays is on Ransomware binaries rather than on builders, but since “builders” are (in a way) more closed to the Malware developer — in fact generated ransomware are very similar each other because automatically generated by the builder — I believe that studying the builders would give us a more closed knowledge about the Malware author. **Light Technical Analysis** Before getting into code, it would be useful to remind that Paradise Ransomware was firstly launched on 2017 through phishing emails containing malicious IQY attachments that downloaded and installed the ransomware. The first versions of the ransomware contains flaws that allowed ----- [international researchers to build a free decryption tool (for details HERE) able to recover files from](https://www.bleepingcomputer.com/news/security/paradise-ransomware-decryptor-gets-your-files-back-for-free/) the old version of the Ransomware. After some revisions the Ransomware became strongest by adopting RSA encryption which made impossible the decryption without the private key. [As reported by BleepingComputer (HERE) source code leaked during this (2021) summer on](https://www.bleepingcomputer.com/news/security/paradise-ransomware-source-code-released-on-a-hacking-forum/) XSS.IS forum. Forum post with leaked Paradise Ransomware source code The source code is written on .NET, by giving it a chance to run on a local and virtualozed environment, it runs smoothly and without any issue on a basic version of .NET framework over a Microsoft Visual Studio. ----- [Simple starting Run (img from HERE)](https://www.bleepingcomputer.com/news/security/paradise-ransomware-source-code-released-on-a-hacking-forum/) The leaked source code looks like following the default structure on Microsoft VS. As you might appreciate from the following image the leaked folder structure is simple and lean. ----- Leaked Source Code structure After a quick and incomplete overview of the code it is possible to appreciate several “quick findings”. While the produced ransomware (Paradise) is something that eventually will get of public domain (since inoculated on victims machines) the attacker would insert a lot of “security check” (in order to get harder the analyst life) but the builder is used to be a confidential “piece of code” which is hold by affiliate criminal groups and for such a reason the developer ( which works with limited amount of time – he needs to make economy himself -) is not used to implement checks and precautions used in the final payload. So here they are, quick findings ahead. **Language: Russian. Over the source code it’s easy to find developer comments, which** according to google, belongs with Russian language. ----- Russian Language over leaked source code **Username of building computer: MALIKA. Microsoft Visual Studio lets some information** regarding the user who compiles the source code into binary. These information are reported into .csproj file used to configure the environment settings for compiling and linking time. The following image shows the the username used to compile the project. ----- Username used to compile the VS Project **Configurable** **settings: Keys and More. Instead of getting configuration files from external** resources the builder (acting as a server) needs to be configured introducing configuration strings directly on the source code. It looks like the builder is made for advanced users only (maybe internal usage and not for affiliate?). ----- Configuration Strings **Ransomware name: Paradise. Strings and configuration takes the analyst to believe this** builder is really the Paradise builder even from an inside perspective. **Paradise email notification** ----- In memory **name:** `dp_main . Even if you run Paradise Ransomware with different` configuration name, the system would add a `dp_main in the running environment memory.` Indeed the sample count on such a string in order to understand how many parallel processes are running Checking in memory Beside the “quick findings” it would be interesting to check used practices and Ransomware characteristics. One of the first characteristics is in the persistence method. While the “Autorun” is quite simple and very abused the Paradise ransomware seems to copy itself in a specific directory named `DP (under the romantic` `appdata service directory) and looks like it names the Paradise` Ransomware always in the same way, uncaring about configuration settings. The name is ``` DP_Main.exe as showed in the code below. ``` ----- Persistence and Executable Name. Shadow copies deletion is quite a standard practice for successfully ransomware. Even in this case the action is quite standard, by running the following command in a cmd.exe: `ProcessStartInfo` ``` psiOpt = new ProcessStartInfo(@"cmd.exe", @"/C sc delete VSS"); ``` Interesting and quite characteristic the way Paradise Ransomware does check-in into its command and control system. From this function it would be possible to serialize a network detection rule (even if would be quite general, so pay attention to false positives in case you are going to implement it ) such as: `/api/Encrypted.php .` Check-in function One of the most interesting piece of code (at least in my personal point of view) is in the way the sample manage encryption keys. Getting into details, what moves my interest starts from the main function at line `718 which I report following.` ----- Interesting characteristic: `SavePrivateKey` In other words if in the systems (host) there is no keys, Paradise Ransomware generates them and save both of them on the local machine ! Unfortunately the process to save private keys to HD does it well by encrypting them, but … there is still something to do here (bu I’m not going to stress out this pint out). Most interesting for the analysis is the process that uses this Ransomware to deal with keys. The following image shows the function named `SavePrivateKey, which actually does not` what you aspect to do. ----- Save Private Key In `SavePrivateKey the attacker actually saves a combination between encrypted(private) key and` public RSA key as shown in the previous image. Indeed it then calls a new function named ``` SavekeysToFiles which saves them into a unique files called DecryptionInfo.auth . Finally ``` one more interesting characteristic is in the way Paradise encrypts files. A questionable choice by Malware author is the ability to encrypt “only” the first 10MB of big files. If the files are smaller it divides file in 117 bytes and loops over them. ----- Encryption Loop **IoC** One-Time Monthly **Make a one-time donation** **Make a monthly donation** Choose an amount $1.00 $5.00 $10.00 $5.00 $15.00 $100.00 If you think this content is helpful, please consider to make a little donation. It would help me in building and writing additional contributions to community. By donation you will contribute to community as well. Thank you ! If you think this content is helpful, please consider to make a little donation. It would help me in building and writing additional contributions to community. By donation you will contribute to community as well. Thank you ! [DonateDonate monthly](https://subscribe.wordpress.com/memberships/?blog=155480246&plan=10519&lang=en_US&pid=10196&redirect=https%3A%2F%2Fmarcoramilli.com%2F2021%2F08%2F23%2Fparadise-ransomware-the-builder) Following the analyzed files composing the leaked codebase. **SHA256** **Name** 753f1e353ad0eb75555f81e090a3e89339d96266f5e33e2ada34c9ea655dcee9 AssemblyInfo.cs ----- e375edc127182453ad7ed84ae3abac3759dded7265284af48015a165e439f26c DP_Builder.csproj 0dfb6a940a583432f21ce03634c0e8d6a9030443e391cf44f9581212716d4308 DP_Builder.sln 363a99b2480c11b9431c046d44b323807e9b11bf237cc291dde11151d8b75581 MainForm.cs 5eb2c22d092f3bf2077d7e9128c38c1bc29fd0b06479646c05afb0bf741891dc MainForm.resx f282d765bb83d76be318a2a982605d06619da2376165ba12cc6ca4e50aa0754d Program.cs a1428e2c84c3420a0481e524e103db7fde84d2107bd02738349c48ee4d6a5353 Resources.cs e9ae7a5837b34b65608964e7315450a3459e0e01366769b68b904504a55db102 Resources.resx 07958ee0ed74c8e4637d0903d686e66e7bd9e6b89bca0d3df4531d590c848a05 Settings.cs Main Sourcecode Files **Conclusions** Every code owns specific characteristics, every Malware Author makes decisions and such decision reflect in the way they write source code. Analyzing Malware source code lets us the ability to compare style and design patterns. Today in my quick Paradise Ransomware source code analysis I highlighted only few of the many characteristics that could be observed by reading someone else’s code. I believe that sharing this information would be useful to everybody working in cyber defense sphere. -----