Paradise leverages the ransomware-as-a-service (RaaS) platform and is currently distributed through a spam email campaign in the form of an attached zip file. If opened, the malicious executable encrypts files on the machine including those contained on fixed, removable, and network drives. Paradise copies itself to C:\Users\<USER>\AppData\Roaming\DP\ and adds a reference in the Autorun Windows registry key. This ransomware variant also deletes Windows shadow copies and places a ransom note named #DECRYPT MY FILES#.txt in every folder where files have been encrypted.
Associated emails include: email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org
- Acronis provides additional information on Paradise here.
- The NJCCIC is not currently aware of any free decryption tools available for Paradise.
Image Source: Acronis