Paradise Ransomware Source Code Released On Dark Web Sparks Copycat Fears

You are currently viewing Paradise Ransomware Source Code Released On Dark Web Sparks Copycat Fears

Paradise Ransomware has had its source code released on a dark web hacking forum, leading to fears that other threat actors could repackage the malware strain as their own, thus creating multitudes of copycat variants. The posting with the source code was initially found by Security researcher Tom Malka, who reported his findings to BleepingComputer, who have subsequently been reporting on the case. Malka compiled the source code and found it creates three executables – a ransomware configuration builder, the encryptor, and a decryptor. The code for Paradise Ransomware has since made it other, more accessible parts of the web.

Throughout the code there is Russian syntax, revealing the initial creators of Paradise Ransomware are likely Russian citizens.

A Paradise ransomware affiliate can use the builder to customize their own version of the ransomware to include a custom command and control server, encrypted file extension, and contact email address.

Paradise Ransomware
Paradise Ransomware source code on the XSS forum

Once the customized ransomware is created, affiliates can distribute the malware in their campaigns to target victims.

Part of the source code

Paradise Ransomware was initially reported in September 2017. It propagated via phishing emails containing malicious IQY attachments that downloaded and installed the ransomware.

Over the years, many variants of Paradise Ransomware were released. However, the initial versions were flawed in their encryption methods. This lead to the creation and release of the Paradise Ransomware Decrypter by Michael Gillespie. The decryptor allowed victims of Paradise Ransomware to unlock their files without having to pay anything.

Newer versions of Paradise Ransomware made the switch to RSA encryption, which made free decryption nearly impossible.

When studying the newly release source code, Gillespie said three versions of Paradise Ransomware are included:

  • Paradise – Native version that had the flaws allowing decryption.
  • Paradise .NET – A secure .NET version that switched encryption algorithms to use RSA encryption.
  • Paradise B29 – A “Team” variant that only encrypted the end of a file.

Gillespie said that it is not clear if they were all developed by the same group as they were all circulating at around the same time with thousands of different extensions, as threat actors flocked to the growing Ransomware-as-a-Service.

Based on submissions statistics to ID Ransomware, the Paradise Ransomware was heavily distributed between September 2017 and January 2020, when it suddenly tapered off until now, where it is rarely seen.​

Submissions of Paradise Ransomware Infection Reports Over Time

Using this source code, other threat actors  can easily modify it to release their own customized version of the ransomware, allowing an easy entry point into creating a new ransomware operation.

The source code is for the secured version of Paradise Ransomware, meaning any copycat strains will not be able to undergo free decryption using Gillespies’ tool.

Paradise Ransomware Analysis

Note: This analysis was carried out by researchers at Infosec Institute.

Paradise Ransomware uses spam phishing emails to initially contact the users that it has targeted. This email will have an IQY attachment. What really sets Paradise apart from other ransomware families is that it is the first to use this file type, which has never attracted much attention from the information security world before. 

IQY is not a commonly-used file type during phishing campaigns. It is an interesting choice, as it contains only URLs and not payloads. It can be leveraged to download commands in the form of Excel formulas that can use PowerShell, cmd and other LolBins (Living off-the-land Binaries) to abuse system processes. 

The fact that IQY files use URLs makes it harder for cybersecurity teams to deal with this threat, as they may have to use a third-party URL reputation web service to effectively respond to it. Aside from being the initial attack vector, Paradise can also use the IQY to perform other attack actions in furtherance of the attack campaign.

As mentioned earlier, the initial Paradise infection comes as a result of a spam phishing email where the user has downloaded that IQY file. Once this happens, Paradise unpacks itself with self-injection to a new location in the compromised computer’s memory and replaces an executable with the unpackaged ransomware. Paradise then attempts to disable Windows Defender by changing the registry value of DisableAntiSpyware.

Paradise then searches for processes that contain specific strings and attempts to kill them. This is a typical ransomware action because it frees the handles from important files so they can be encrypted. It then uses the leveraged power of the Salsa20 crypto routine algorithm to encrypt important files — which highlights another evasion capability of Paradise. As the URLs are built into the source code and not dependent on relying upon a crypto library to call functions, this makes it harder for cybersecurity teams to detect it.

Once important files are encrypted, Paradise drops a ransom note into the folder containing the encrypted files. The ransom note is normally named —==%$$$OPEN_ME_UP$$$==—.txt. This is another departure from the typical ransomware standard operating procedure, which normally drops a note on the compromised computer’s desktop.


Ransomware is a serious online threat, one that is faced by businesses and families globally. It is critical that you use the right tools to keep your digital life protected. One of these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply