Paradise Ransomware (.<Original Extension>_V.0.0.0.1{help@badfail.info}.paradise) - Videos - CheckMAL

Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

Distribution Method : Unknown

MD5 : a3c124f16afa74b9bebddbec347afe58

Major Detection Name : Trojan-Ransom.Win32.Cryptor.bta (Kaspersky), Ransom_PARADISE.FBHAI (Trend Micro)

Encrypted File Pattern : .<Original Extension>_V.0.0.0.1{help@badfail.info}.paradise

Malicious File Creation Location :
- C:\Users\%UserName%\AppData\Roaming\<Random>.exe
- C:\Users\%UserName%\AppData\Roaming\Paradise.png
- C:\Users\%UserName%\Documents\ID_CLIENT_help@badfail.info.txt
- C:\Users\%UserName%\Documents\paradise_key.bin
- C:\Users\%UserName%\Documents\paradise_key_pub.bin

Payment Instruction File : PARADISE_README_help@badfail.info.txt

Major Characteristics :
- Offline Encryption
- Features killing process except system and specific processes (chrome.exe, firefox.exe, iexplore.exe, launcher.exe)
- Disable system restore (wmic.exe shadowcopy delete, vssadmin delete shadows /all /quiet)