A new kind of Ransomware dubbed “Paradise Ransomware” is doing the rounds these days. It is being offered as a Ransomware as a Service (RaaS) and that is what makes this ransomware interesting.

The Paradise Ransomware does what typical ransomware do – encrypt files and demand a ransom for the decryption key. It is not yet known how the initial infection takes place, but analysis of logs suggest that cyber criminals could have probably have hacked remote services of workstations and then impregnated the ransomware.

How Ransomware as a Service works

A cyber criminal who develops a ransomware (developer) may opt to offer it as a service. The developer also controls and manages the Command and Control (C&C) server required for carrying out these activities. In return, the developer gets a percentage of the ransom collected from the victims. Developing a ransomware is tough, agreed, but still, a considerable amount of work has to be put in to distribute the ransomware and successfully infect computer systems. The subscribers of the ransomware service – called as “affiliates” have to try to infect machines in any way possible – phishing attacks, spear phishing, spam emails, etc…,

A sophisticated ransomware malware may involve a number of stages to thwart detection. The initial malware is well designed so that most antivirus programs do not detect them as malware. It does not perform much of malicious activity, but at an opportune moment, it contacts a C&C server to download the deadly ransomware component that does the encryption of the files.

What does the Paradise Ransomware do:

When the Paradise Ransomware gets executed, it first relaunches itself to acquire administrative privileges. With these escalated privileges it generates a RSA-1024 key which it uses to encrypt files on the victim’s computer.

The encrypted files will be renamed and it will contain a “.paradise” extension along with the identity and email of the ransomware “affiliate”. On successful encryption of all files on a computer, the ransomware drops a ransom note text file in each folder, which contains the ransom demand and how the ransom is to be paid. The note demands the ransom to be paid in bitcoins purchased from “https://localbitcoins.com/buy_bitcoins”, and then email the details to “[email protected]”. Further, the ransomware also sets the demand as the desktop background on the victim’s system.

The ransomware demand note warns:
“Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss
If you not write on e-mail in 36 hours – your key has been deleted and you can’t decrypt your files”

Mitigation Measures

As of now, cyber experts are working on ways to decrypt files that have been encrypted by the Paradise Ransomware. It is worth noting that attacks of this kind will continue. It is only when an enterprise secures itself with robust endpoint security that works on a default-deny policy, will it be able to thwart any kind of ransomware, malware, zero-day exploits and advanced persistent threats.