Researchers Release Decryptor Tool For ‘Paradise’ Ransomware

HSBC, security, hacking

Paradise ‘ransomware-as-a-service’ latest to be hacked by security researchers, who have released keys for most of its dozens of variants

Security researchers have released a free decryptor tool for the Paradise ransomware, giving those affected a way of recovering their files without having to send funds to their attackers.

Paradise was first detected in September 2017 and is still being actively distributed, said computer security firm Emsisoft.

It appears to be sold to third-party attackers as a paid service, with attackers able to customise how the malware operates.

When files are encrypted, Paradise appends one of at least fifty extensions to the files, including “.paradise”, “2ksys19”, “.p3rf0rm4”, and “.FC”.

ransomware, securityVariants

Emsisoft said the new tool can decrypt most of these extensions.  But it advised those affected that if their files can’t yet be decrypted, users should archive them so that they can be unlocked at a later date when the tool is updated.

Paradise also displays one of several variant ransom notes depending on how it’s been customised by the third-party attacker.

The notes request the ransom to be paid in Bitcoin directly to the attacker, rather than to Paradise’s developers.

Regardless of what any of the Paradise ransom notes might say, our decryption tool can help you recover your files for free,” Emsisoft said in an advisory.

Emsisoft has released decryptors for other malware strains, including STOP Djvu, Muhstik, HildaCrypt, GalactiCrypter and Avest.

In June researchers released a decryptor for the GandCrab malware that at one point accounted for 50 percent of all ransomware infections.

Muhstik hack

And last month a German programmer released decryption keys for the Muhstik strain of ransomware after himself falling victim to the malicious code and then hacking the malware’s control servers.

Tobias Frömel, a Bavarian developer and web designer, said he paid 670 euros (£598) to the developers of the Muhstik ransomware after he was hacked.

Frömel said that after recovering from his own attack he located the control servers belonging to the Muhstik gang and carried out a hack of his own to obtain the group’s database of decryption keys.

He released the more than 2,000 keys in a text file on the Pastebin code snippet website, along with a decryption tool.

“I hacked back this criminal and got the whole database (of) keys,” Frömel said in a message posted to the forums of tech help site Bleeping Computer.

He said he was aware it was “not legal” to hack criminals’ systems, but added, “I’m not the bad guy here.”