Paradise ransomware source code is disclosed, attackers can “private customization”

The complete source code of Paradise ransomware has been published on a hacker forum, which will enable any cyber criminals to develop their own customized version of ransomware.

It is reported that the source code link published on the hacker forum XSS can only be accessed by active users who have previously responded to other posts on the forum.

Paradise ransomware source code is disclosed, attackers can “private customization”

Post with ransomware source code

Researchers at Security Joes found that the package in the post covers three executable files: Ransomware Configuration Builder, Encryptor, and Decryptor.

Paradise ransomware source code is disclosed, attackers can “private customization”

Ransomware source code

And, as shown in the figure above, the entire source code is full of Russian comments, which can prove that the developer’s native language is Russian.

The disclosed source code allows attackers to use a builder to create their own version of ransomware. The builder includes a custom command and control server, encrypted file extensions, and contact email addresses.

Paradise ransomware source code is disclosed, attackers can “private customization”

Paradise Ransomware Builder

After the customized ransomware is created, the creator can immediately distribute malware to targeted victims in their activities.

Description of Paradise Ransomware

In September 2017, Paradise ransomware was discovered for the first time. It launched an attack through phishing emails containing malicious IQY attachments, which downloaded and installed the ransomware.

Later, the ransomware was released in multiple versions. Because the original version contained defects, the researchers studied it and released Paradise’s decryptor.

However, the new version of Paradise changes the encryption method to RSA, which makes the original decryptor “ineffective” and files can no longer be decrypted for free.

Michael Gillespie, who created the original version of Paradise Ransomware Decryptor, said that the Paradise version that has been released includes:

Paradise-the first version of the decryptor that can be used.

Paradise .NET-one. NET version, it converts the encryption algorithm to use RSA encryption.

Paradise B29-A variant that only encrypts the end of the file.

Unfortunately, the source code was released this time. NET version of Paradise, it uses RSA encryption and cannot be cracked by a decryptor.

The researcher said that it is not clear whether the above-mentioned versions were developed by the same organization, because they were all circulated under thousands of different extensions at approximately the same time. Moreover, the increasingly popular RaaS (ransomware as a service) has also contributed to its promotion.

Paradise ransomware source code is disclosed, attackers can “private customization”

Paradise data on ID Ransomware

However, according to the statistical data submitted to ID Ransomware, Paradise ransomware spread in large numbers from September 2017 to January 2020, and then suddenly weakened. Now, its figure has rarely been observed.

The Links:   https://www.slw-ele.com/lq088h9dr01u.html“> LQ088H9DR01U G104V1-T01