{
	"id": "b3f2aa9b-60ae-4602-8ac6-0854100e11f9",
	"created_at": "2026-04-06T00:15:31.305512Z",
	"updated_at": "2026-04-10T03:20:26.111015Z",
	"deleted_at": null,
	"sha1_hash": "c8e7cc0dce90c5f958a23c76d5be7fc2fedfc344",
	"title": "Source code for Paradise ransomware leaked on hacking forums",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 335255,
	"plain_text": "Source code for Paradise ransomware leaked on hacking forums\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-10 · Archived: 2026-04-05 13:40:49 UTC\r\nThe source code of the .NET version of the Paradise ransomware was leaked on hacking forums over the\r\nweekend, Tom Malka, a senior threat intelligence analyst for security firm Security Joes, has told The\r\nRecord today.\r\nThe code, which was shared on a Russian-speaking forum called XSS, represents the second major ransomware\r\nstrain whose source code was leaked in recent years after the Dharma code leaked in early 2020.\r\nThe authenticity of the leaked files was verified and confirmed by malware analysts Bart\r\nBlaze and MalwareHunterTeam, which previously analyzed several Paradise ransomware campaigns.\r\nA short history of the Paradise ransomware\r\nFirst spotted in September 2017, the Paradise ransomware was rented online to cybercrime gangs via a classic\r\nRansomware-as-a-Service (RaaS) offering.\r\nParadise ransomware advertised as a RaaS pic.twitter.com/17hXePXnbn\r\n— Catalin Cimpanu (@campuscodi) September 23, 2017\r\nThreat actors would sign up for the Paradise RaaS, and they'd receive a specialized app, called a builder, which\r\nthey'd use to build custom versions of the Paradise ransomware that they would later spread to victims via email\r\nspam and other methods.\r\nWhile in recent years, we have gone accustomed to ransomware gangs going after high-profile companies,\r\nchasing large payments, the Paradise ransomware was primarily used to target home consumers and smaller\r\ncompanies.\r\nhttps://therecord.media/source-code-for-paradise-ransomware-leaked-on-hacking-forums/\r\nPage 1 of 6\n\nSeeking small ransom payments, the Paradise RaaS was considered an entry point into the ransomware scene for\r\ncriminal gangs, which would begin their career targeting end consumers and small businesses, and then move to\r\nthe more professional RaaS offerings that targeted large corporations.\r\nThe Paradise RaaS operated for years, constantly releasing new versions, including a .NET version, which saw\r\nlimited use in 2019 and 2020.\r\nThe RaaS hit its first major snag in October 2019 when security firm Emsisoft released a free decryption\r\nutility that allowed victims to decrypt files encrypted by the Paradise ransomware without paying the ransom\r\ndemand.\r\nThe Paradise operators released new versions, but security firm Bitdefender released a second decrypter a few\r\nmonths later, in January 2020.\r\nSince then, the RaaS' operations have lost some of their stamina, with fewer campaigns being spotted by security\r\nresearchers on a weekly basis.\r\nOne of the Paradise affiliates drew some attention to itself in March 2020 when they utilized a novel spam\r\ncampaign that used IQY files to spread the ransomware, but since then, Paradise payloads have been rare, with the\r\nlast public sample being seen in January this year.\r\n#Paradise #Ransomware\r\nmail:\r\nagreemaster@tutanota.com\r\nagreemaster@protonmail.com\r\next:Cukiesi\r\nsample:https://t.co/9ltw4clA85@Amigo_A_ @demonslay335 pic.twitter.com/wBEC30GPbG\r\n— xiaopao (@Kangxiaopao) January 29, 2021\r\nSecurity firm SonicWall also reported spotting a new ransomware version named Cukiesi, which they concluded\r\nwas an offshoot of the old Paradise, but this variant didn't survive for long either.\r\nhttps://therecord.media/source-code-for-paradise-ransomware-leaked-on-hacking-forums/\r\nPage 2 of 6\n\nToday, the native version of the Paradise ransomware is still making a handful of victims on a weekly basis.\r\nAccording to MalwareHunterTeam, the ID-Ransomware service has only seen two submissions in the last 30\r\ndays, suggesting the project has been abandoned or is seeing lesser use in favor of its native version – with\r\nnatively-coded ransomware being known to be faster at encrypting files compared to .NET alternatives.\r\nParadise ransomware builder leaked\r\nThe Paradise code that was leaked over the weekend is the source code for the .NET version of the Paradise\r\nransomware, and more precisely for its builder and decryption utility, Malka and Blaze told The Record today.\r\nImage: Bart Blaze (supplied)\r\nhttps://therecord.media/source-code-for-paradise-ransomware-leaked-on-hacking-forums/\r\nPage 3 of 6\n\nImage: Bart Blaze (supplied)\r\nImage: Bart Blaze (supplied)\r\nhttps://therecord.media/source-code-for-paradise-ransomware-leaked-on-hacking-forums/\r\nPage 4 of 6\n\nImage: Bart Blaze (supplied)\r\nThe leak of the Paradise ransomware builder is a legitimate cause for concern, even if it's for the lesser-used .NET\r\nversion.\r\nSample Paradise ransomware strains built by Blaze earlier today were classified as undecryptable when uploaded\r\nand verified via the ID-Ransomware service.\r\nWith the source code readily available in the public domain, and known to be undecryptable, we cannot exclude\r\nthat some threat actors will jump on the opportunity to use it, even if it's not as refined as the native version of the\r\nParadise RaaS.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/source-code-for-paradise-ransomware-leaked-on-hacking-forums/\r\nPage 5 of 6\n\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/source-code-for-paradise-ransomware-leaked-on-hacking-forums/\r\nhttps://therecord.media/source-code-for-paradise-ransomware-leaked-on-hacking-forums/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://therecord.media/source-code-for-paradise-ransomware-leaked-on-hacking-forums/"
	],
	"report_names": [
		"source-code-for-paradise-ransomware-leaked-on-hacking-forums"
	],
	"threat_actors": [],
	"ts_created_at": 1775434531,
	"ts_updated_at": 1775791226,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c8e7cc0dce90c5f958a23c76d5be7fc2fedfc344.pdf",
		"text": "https://archive.orkl.eu/c8e7cc0dce90c5f958a23c76d5be7fc2fedfc344.txt",
		"img": "https://archive.orkl.eu/c8e7cc0dce90c5f958a23c76d5be7fc2fedfc344.jpg"
	}
}