# Paradise Ransomware strikes again **acronis.com/en-us/blog/posts/paradise-ransomware-strikes-again** [Back](https://www.acronis.com/en-us/blog/) January 22, 2018 — [Acronis Security Team](https://www.acronis.com/en-us/blog/authors/acronis-security-team/) Cyber Protect Home Office formerly Acronis True Image [Learn more](https://www.acronis.com/en-us/products/true-image/) Paradise Ransomware hits again The Paradise ransomware that was active in September 2017 is back with a new round of attacks, starting at the beginning of January 2018. Leveraging the Ransomware as a Service (RaaS) model, the Paradise strain provides an unbreakable encryption scheme by using the RSA cipher for file encryption – which is an unusual cipher choice. ----- e a so a e s e ecutab e e s a c ed a d sp ead a spa e a as a p attac e t o beco e ected, a use ope s t e attachment, unpacks it, and executes the extracted application. ## Static Analysis The ‘DP_Main.exe’ ransomware file is a .NET compiled executable and requires .NET Framework 3.5 to start on a user’s machine (MD5: 8aa00ee509a649619794fc1390319293). The PE file is 36,684 bytes and was compiled on January 5, 2018. ## Installation The malware copies itself to the following folder on a user’s computer: _C:\Users\\AppData\Roaming\DP\_ The executable adds the reference to itself in the Autorun Windows registry key as the following value: _‘DP_Main’ = ‘c:\Users\\AppData\Roaming\DP\DP_Main.exe’_ Paradise Ransomware Installation ## Key generation The [ransomware creates ‘DecryptionInfo.auth’ file in the following folders:](https://www.acronis.com/en-us/ransomware-protection/) %USER%\ %USER%\Desktop\ Program Files\ The key file contains the session RSA private key in the XML format, encrypted with the master RSA public key and Base64 encoded: Paradise Ransomware - Key generation Paradise Ransomware - Key generation 2 Th t RSA 1024 bit bli k i h d d d i B 64 ----- _S_ _ey a ue_ _odu us u_ _Q_ _d 0y8_ _s_ _8gg_ _8_ _U b uQt u_ _3 9_ _J_ _6 3 gqt9_ _p S_ _t eQ_ _G O 0_ _5q S_ _AQAB_ ## File encryption The Paradise ransomware encrypts ALL files on fixed, removable, and network drives. It filters out the folders that contain the following strings: windows firefox opera chrome google The Application Data folder where the cryptolocker lives The cryptolocker does not encrypt the files that contain the following strings: .paradise #DECRYPT MY FILES#.html Id.dp DecryptionInfo.auth It first encrypts the files in any folders that contain the following strings: mysql firebird mssql microsoft sql backup The cryptolocker renames a file adding the following suffix: “[id-].[AFFILIATE_EMAIL].paradise” For example: _[file.exe[id-iO3mBQGY].[paradise@all-ransomware.info].paradise](http://10.10.0.46/mailto:paradise@all-ransomware.info)_ Paradise uses the RSA cipher, and the generated session key pairs to the encrypt file’s content, divided in blocks of 547 bytes. Paradise Ransomware - encryption ## Communication Once the encryption is completed, the malicious process sends a notification request to the remote server. The sent data includes: The number of encrypted files The computer’s name Elapsed time Decryption info The computer’s ID Paradise Ransomware - remote notification Analyzed versions of the ransomware connect to ‘localhost’ only. The ransomware config contains ‘localhost’ as the C&C server, which could mean that either the feature was deprecated or setting the server data in config was forgotten. ## Backup removal ----- a ad se s e t y de etes do s s ado cop es, e a y ot e a so a e a a ts cu e t y t e d Paradise Ransomware - backup removal ## Ransom note In every folder, the cryptolocker leaves the ransom note ‘#DECRYPT MY FILES#.html’ Paradise Ransom Note 2 Paradise Ransom Note ----- ## ec ypt o se ce The ransom note includes a contact email address: _paradise@all-ransomware.info_ The user can send up to three files with non-sensitive information – together with the ID and personal RSA key – to this email address to test the decryption service. Each file should be less than 1 MB in size. One of the files will be decrypted as proof that decryption is possible. The ransom value will be set in bitcoin and can vary based on when the user replies or the number of encrypted files. The domain ‘all-ransomware.info’ has roots on Russia, according to WhoIs data: Paradise Ransomware - domain The server is geographically located in St Petersburg. Paradise Ransomware - location ## Conclusion There is no way to restore encrypted files other than to pay a ransom. The files are encrypted using a session public RSA key and require session private RSA key, which is encrypted along with the master public RSA key. The session RSA private key can be decrypted only with the master private RSA key, which is held by the criminals. The only free alternative that is recommend is to restore files from backup, if available, after the infected computer has been cleaned. ## Acronis True Image detects and blocks Paradise as well [Rather than waiting to react after Paradise encrypts your files, you can use Acronis True Image 2018 and our other products with Acronis](https://www.acronis.com/en-us/personal/computer-backup/) Active Protection enabled to detect and stop Paradise ransomware. You’ll also be able to restore any affected files in matter of seconds. ----- Ransomware detected by Acronis Acronis restores files [CybersecurityCyber protection](https://www.acronis.com/en-us/blog/tags/cybersecurity/) -----