Paradise Ransomware – Guide to remove it from system

Guide to Remove Paradise Ransomware

Paradise Ransomware is a file-encrypting virus that surfaced to lime-light for the first time in September 2017. For the past two years, it has been encrypting user’s files using highly-complex Encryption Algorithm, RSA-1024.

In addition to that, Paradise Ransomware is being aggressively distributed as a Ransomware as a Service (RaaS) to the interested affiliates. The developers of Paradise File virus allow the affiliates to customize RaaS by changing ransom amount, contact e-mail address & distribution techniques.

By doing so, developers avoid shouldering the task of malware distribution & use the affiliates to propagate Paradise Ransomware. They generate hefty illicit revenue by charging a certain percentage of ransom amounts from the affiliates.

Some of the common spread techniques of Paradise Ransomware include infected spam e-mail attachments, malware-laden websites & suspicious links.

Once the system is infected, Paradise file virus appends the targeted file names with .paradise extension. However, paradise Ransomware received multiple updates from its developers in the span of two years. Some of the extensions that Paradise variants use are .b1, .sambo, .p3rf0rm4, .b29, .prt, .sell, .ransom & .logger.

Once files are encrypted, Paradise Ransomware drops ransom-demanding text notes on the victim’s system. The demanded ransom amount varies from $500 to $1500 (in bitcoins).

Let us understand what more Paradise Ransomware is capable of doing of & how can one prevent falling victim to this nasty threat.

Threat Summary of Paradise File Virus-

Threat Summary

Name	Paradise
Type	Ransomware
Category	Malware
Targeted OS	Windows
Symptoms	It infects your system with the motive of encrypting the files & making them inaccessible. It drops a ransom-demanding note on the victims’s desktop.
Damage	Encrypted files are inaccessible. The malware may further increase malicious payload on your system.
Removal	Download Removal Tool

Threat Behavior of Paradise Ransomware

Paradise Ransomware is a devious crypto-virus that encrypts the files using complex Encryption Algorithms such as RSA-1024 & RSA-2048. Not only this, it is also being sold as Ransomware as a Service (RaaS) on the dark web to the interested affiliates.

The prime method of its distribution is Infected Spam E-mail Attachments. A mere click on the malicious Zip attachment unpacks Paradise Ransomware & installs it on the system.

Once infected, Paradise employs Encryption Algorithms to encrypt targeted file extensions. It is capable of encrypting user-generated files such as:

• Images (.jpg, .jpeg, .raw, .tif, .gif, .png)
• Audio Files (.mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4)
• Video Files (.3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob)
• Document files (.docx, .doc, .odt, .rtf, .text, .pdf, .htm, .ppt)
• Backup Files (.bck, .bckp, .tmp, .gho)

The encrypted files are appended with-

• Affiliate Id
• Affiliate E-mail Address
• .paradise Extension

For example: A file named presentation1.ppt might be renamed as “presentation1.pptid-xxxxxxxx.[ [email protected]].paradise”.

Besides encrypting, it deletes shadow copies of files, thus, restricting the users from restoring them.

Use of Paradise Ransomware as a RaaS

According to the sources, Paradise Ransomware is being distributed as a Service on the dark web since September 2017. Thus, it has enabled interested affiliates to lock the networks of the victims & hold them for hefty ransom amount.

However, cyber-security analysts do not have much relevant information about Paradise RaaS platform. It is being managed by anonymous personalities on the Dark Web.

Initial Paradise Attacks were observed in various parts of Western Europe & United States. The RaaS mainly targeted Windows OS & ran as “DP_Main.exe” on the infected system.

The developers of Paradise RaaS allow the third-party affiliates to customize & distribute various strains of Paradise Ransomware. In return, the developers receive a certain percentage of the ransom amount & generate huge revenue. One of the well-known variants of Paradise RaaS is TeslaWare.

Some of the extensions of the updated variants of Paradise RaaS are:

• [[email protected]].b1
• .sambo
• __{[email protected]}.p3rf0rm4
• [[email protected]].b29
• 0.0.0.1{[email protected]}.prt
• {[email protected]}.paradise
• .sell
• .ransom
• .logger
• .CORP
• VACv2

Details of Ransom Note & Ransom Amount for Paradise Ransomware

Following the successful encryption of the targeted files, Paradise Ransomware drops three text files on the victim’s desktop. These include:

• “[email protected]”
• “txt“
• “txt“
• & a ransom note – #DECRYPT MY FILES#.txt

The file named Files.txt contains details of the encrypted user file extensions. The second file named Failed.txt has the list of files that could not be encrypted due to some reason.

The most important file is #DECRYPT MY FILES#.txt, which contains ransom-demanding message from the cyber-crooks. The note describes that the files are encrypted & could not be restored without a decryption key. It further suggests the victims to contact the hackers on the provided e-mail address in order to restore the encrypted files.

Encryption Algorithm, RSA-1024 employed by Paradise Ransomware to encrypt the files generates two private keys – public encryption key & private encryption key. These keys are vital for decrypting the files. Since these keys are stored on hacker’s remote server, they demand hefty ransom amount in exchange of the keys.

While ransom amount (to be paid in Bitcoins) is not specified, it typically ranges from $500 to $1500.

Claims Made by Hackers & its Authenticity

Besides, hackers permit the victims to send any three files (up to 1 MB of size altogether) on the provided e-mail address. The developers offer to decrypt these files for absolutely free of charge & send it back to the victims as a “guarantee” of decryption.

You might wonder if cyber-crooks could be trusted! Well, cyber-security analysts suggest not contacting the hackers. In most of the cases, hackers ignore responding to victims after receiving ransom amount.

Paying the ransom amount doesn’t guarantee decryption of files in any way. Instead, the users lose their money & data permanently and support cyber-crooks in their wicked motives.

Therefore, we do not support reaching out to hackers & paying the ransom.

While no tools are available to crack RSA cryptography as for now, we suggest restoring the system & encrypted files from a backup.

Distribution Techniques of Paradise Ransomware

The cyber-criminals use various strategies for malware distribution which include –

1. Software Bundling: Software bundling is the process in which a malicious program is distributed with other free software, to get an unnoticed entry into your computer system. When a user installs a free application, the malicious programs gains a front door entry with the free application, the user has downloaded. Thus, it is a good idea to keep an eye on the installation screens while installing these free applications.
2. Infected Storage Devices: Your system can also get infected by using removable media such as USB hard drives and jump drives without scanning them with an anti-virus.
3. Spam Emails – Spamming is the most economic and common method used for the distribution of such malware. The targeted users get genuine looking emails which contain .doc, .txt, and other similar attachments. These attachments can be named as anything which can grab the user’s attention and triggers him/her to open the attachment. As soon as the user opens this attachment, the malware infects the user’s computer system.
4. Malicious Websites or Malevolent Advertisements: The malicious websites are the ones which are created just for promoting the malware infections. Such websites include but are not limited to porn sites, torrent sites and other free downloading platforms. By visiting such websites, the adware infects the user’s computer without permission. Fake advertisements and updates like Flash player and windows updates which ask the user to update to the latest version are a few examples. When the users click on such links, their computer system gets infected. That is why, it is highly recommended to resist clicking on such links. Also avoid clicking on advertisements offering free stuff such as Win an iPhones, cars or free overseas trips etc.

Download Vipre Malware Remover

How to remove Paradise Ransomware infection from the system

While tools for cracking RSA Cryptography are not available at this time, here are few common measures that have been concluded after research & analysis by our analysts.

STEP A: Reboot your system to Safe Mode

To restart the system to Safe Mode with Networking,  if already switched ON then follow the below steps:

Windows 7/ Vista/ XP

1. Click on Windows icon present in the lower left corner of the computer screen.
2. Select and click  Restart.
3. When the screen goes blank, Keep tapping  F8  Key until you see the Advanced Boot Options window.
4. With the help of arrow keys on keyboard, Select Safe Mode with Networking  option from the list and press the Enter Key. The system will then restart to Safe Mode with Networking.

5 Once the system restarts, click on the username and enter the password (if any) to log in.

Windows 10 / Windows 8

1. Press and hold the Shift Key and simultaneously click on the windows icon present in the lower left corner of your computer screen.
2. While the Shift key is still pressed click on the Power button and then click on Restart.
3. Now select Troubleshoot → Advanced options → Startup Settings.
4. When the Startup Settings screen appears which is the first screen to appear after restart, select and click on Enable Safe Mode with Networking. The system will then restart to Safe Mode with Networking.
5. Once the system restarts in Safe Mode, click on the username and enter the password, if any to log in.

STEP B: Delete the suspicious key from the Configuration Settings

1. Type “Msconfig” in search box / Run Box, select it and press Enter.
2. Click on “Services” Tab and click on “Hide all Microsoft services”.
3. Select Paradise Ransomware from the list of remaining services and disable it by removing the tick mark from the checkbox and click on Apply button.

Windows 7

1. Click on the next tab – “Startup”.
2. Find any blank or suspicious entry or the entry with Paradise Ransomware mentioned and remove the check mark.
3. Click on Apply button and then click on OK.

Windows 10

1. Click on the next tab – “Startup”.
2. Take the mouse cursor to ‘Open task Manager‘ link and click on it.  This opens the Task Manager window.
3. Find any blank or suspicious entry or the entry with  Paradise Ransomware mentioned and click on it.
4. Then click on Disable button.

STEP C: Restore the Encrypted Data via windows previous version

If the system restore was enabled for both, system and user files, then you can recover your personal data through Windows Previous Version, provided the ransomware has not damaged the backup files. To restore your data follow the instructions given below –

1. Open My Computer and search for the folder you want to restore.
2. As soon as you find it, right click on it and choose the restore previous version option from the new window.
3. This option will display all the previous copies of the folder.
4. Now select restore data and through the options i.e. Open – Copy – Restore. 

STEP D: Restore the System Files & Settings

From Control Panel

1. Click on the ‘Start’ button on the taskbar. This will open the Start menu.
2. Click on the ‘Control Panel’ button in the Start menu. This will open the control panel window.
3. In the Control Panel window, click on the ‘View by:’ button on the top right. Select the Large Icon option
4. In the control Panel window click on the ‘Recovery Icon’. This will open a window that will ask ‘Restore the computer to an earlier point in time’.
5. Click on the ‘Open system restore’ button. This will open the ‘system restore ’window where you need to click on the Next Button.
6.  Select the restore point that is prior the infiltration of Paradise Ransomware. After doing that, click Next.
7. This will open the ‘Confirm your restore point’ dialog box. Click on Finish button. This will restore your system to a previous restore point before your system was infected by Paradise Ransomware.

OR

From Command Prompt

1. Type cmd in the search box and click on the command prompt to open the Command Prompt window. box and clicking on it.
2. Once the Command Prompt window shows up, enter cd restore and click Enter.(Ensure that you in the system32 directory of Windows folder in C Drive)
3. Now type rstrui and press Enter again.
4. When a new window shows up, click Next and select your restore point that is prior the infiltration of Paradise Ransomware. After doing that, click Next.
5. This will open the ‘Confirm your restore point’ dialog box. Click on Finish button. This will restore your system to a previous restore point before your system was infected by Paradise Ransomware.

OR

type ‘rstrui’ in the search box

1. Type ‘Rstrui’ in the search box present on the task bar. This will open the System restore dialog box.

Continue to follow steps 4 & 5 of Method 2 to restore the System Files and settings.

How to prevent Paradise Ransomware from infecting your system

1. Keeping the Operating System Updated- In order to remain protected and avoid such infections, it is recommended to keep your Operating System updated by enabling the automatic update on your system. The systems with outdated or older versions of Operating System become an easy target for the attackers.
2. Resist clicking on spam emails – One of the major techniques used for malware distribution is forwarding spam emails to the user. The system gets infected as soon as the user clicks on the attachment. These mails appear to be genuine, so be aware and resist falling for these tricks.
3. Keep an eye on third party installations- It is quite important that you take due care while installing any third party applications for they are major source of such infections. Such malware programs come bundled with the free applications thereby requiring the user to remain cautious.
4. Regular periodical backup- In order to keep your data and files safe, it is recommended to take regular back up of all your data and files either on an external drive or cloud.
5. Use Anti-Virus Protection- We strongly recommend the use of antivirus protection/internet security in your PC like Vipre and BULL GUARD  so that it remains safe.
6. Enable the Ad Blocker/Popup Blocker in your browser- Enabling the popup blocker/ ad blocker in your chosen browser will help you to stay protected from annoying adware.