Cyber Security Center

Paradise ransomware removal


Paradise ransomware is not only file-encrypting malware but also ransomware-as-a-service (RaaS).

 

Screenshot (24)

Paradise ransomware is file-encrypting malware that has been active since September 2017. While a relatively old threat, it still is quite prominent today, as is offered as ransomware-as-a-service (RaaS). It has many versions, all of which encrypt files and demand payment for their recovery. Depending on the version, encrypted files may have the following extensions: .paradise, .sell, .ransom, .logger, _V.0.0.0.1{paradise@all-ransomware.info}.prt, .{help@badfail.info}.paradise, [id-].[yourencrypter@protonmail.ch].b29, __{}.VACv2, _%ID%_{alexbanan@tuta.io}.CORP, .xyz, .666.

Once files are encrypted, the ransomware drops a ransom note which demands that users send an email to the provided email address to find out how much money they need to pay to get the decryptor. While to many users who do not have backup paying may seem like a tempting option, it is highly discouraged. It is not uncommon for cyber criminals to take the money and not send anything in return, as there is nothing stopping them from doing so.

For users who do have backup, it is necessary to first remove Paradise ransomware and only then access backup as backed up files may become encrypted otherwise.

Ransomware distribution methods

Like most ransomware, Paradise malware uses spam email campaigns to distribute. This is one of the most common methods used to spread malware because it’s relatively low effort. Spam emails containing malicious attachments are sent to thousands of potential victims, whose email addresses were likely sold on the dark web. The emails are usually disguised as some kind of official correspondence from a known company, bank or goverment agency. Users are pressured to open the attached file, which would initiate the malware. Emails carrying malware are often pretty obvious, with grammar and spelling mistakes being particularly evident. Some spam emails are more sophisticated than others, thus it is recommended to scan all unsolicited email attachments with anti-virus software or VirusTotal before opening them. Reliable anti-virus software would also protect the computer if a user was to open a malicious file.

Ransomware can also be disguised as updates or as torrents for popular movies, TV series, games, software, etc. Pirating copyrighted content via torrents is not only essentially stealing but also quite dangerous because malware is often concealed in torrents.

Is it possible to decrypt Paradise ransomware encrypted files

As soon as it is executed, the ransomware will start encrypting photos, videos, documents, etc., essentially everything that users may hold valuable. One of the above mentioned extensions will be added to all encrypted files, depending on the ransomware version. A ransom note will then be dropped on the computer. Again, depending on the version, the name of the ransom note may vary. The currently known ones are titled #Decrypt My Files#.txt, #DECRYPT MY FILES#.html, PARADISE_README_paradise@all-ransomware.info.tx, ID_CLIENT_help@badfail.info.txt, PARADISE_README_help@badfail.info.txt, $%%! NOTE ABOUT FILES -=!-.html, Instructions with your files.txt, noood.txt.

As is usual with ransomware, victims are offered to decrypt a couple of unimportant files for free. This is supposed to prove to the victim that the ransomware operators are indeed able to decrypt files.

The contents of the Paradise ransomware ransom note usually are:

WHAT HAPPENED!
Your important files produced on this computer have been encrypted due a security problem.
If you want to restore them, write to us by email.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.

FREE DECRYPTION AS GUARANTEE!
Before payment you can send us 1-3 files for free decryption.Please note that files must NOT contain valuable information. The file size should not exceed 1MB. As evidence, we can decrypt one file.

The ransom sum is not mentioned in the ransom note as it supposedly depends on how quickly victims write to them. It will likely vary from $100 to $1000. But again, paying the ransom is not the best idea, as it does not guarantee file decryption.

Users who have backed up their files can start file recovery as soon as the ransomware is no longer present. For those without backup, all hope is not lost. Emsisoft has released a free decryption tool for Paradise ransomware, and it can decrypt files locked by the majority of Paradise versions. Even if the decryptor does not decrypt a particular version, a new tool may be released in the future, thus users are encouraged to back up their encrypted files and wait for that time to come.

How to delete Paradise ransomware

Paradise ransomware removal should only be done with anti-malware software. Trying to manually uninstall Paradise ransomware could lead to even more damage, thus we do not recommend it. Once the anti-malware has taken care of the infection, file recovery can be initiated.