Paradise malware; everything you need to know

Discover Paradise, a malware that has lurked in the wild since 2017. While it might not be a holiday in a pleasant place, it may definitely be misery for users afflicted by it. This post is going to explain the malware Paradise. We will discuss how Paradise works, what is it, and how you can keep this little-known malware from falling prey to it.

The concept of “old” technology depends on what implementation it is. Paradise is only one of the instances of older virus technology that is having a facelift following its discovery three years ago. Security analysts are finding fresh signs that the malware is re-emerging but with an updated authentication process that makes it impossible to grab. The file type is really normal that average security software has difficulty detecting it. It seems to technology analysts that Paradise has never really been destroyed, but hackers have now found a way to inject new life into operation. You can learn malware protection tips and techniques as well to fight against such viruses.

What is Paradise?

A paradise is a form of malware first mentioned by an infected user in the Bleeping Machine forums, whose latest versions using phishing emails with malicious IQY file attachments to obtain a foothold on a network. This latest version provides us with a new phase in malware Paradise that makes it stand out from other malware, which will be the subject of this post.

When a user ends up installing this IQY file, Paradise will be executing various standard ransomware behavior, such as file encryption. This even drops a ransom note telling the victim that the Paradise ransomware has encrypted the data, and how to decrypt these data in return for a payment in Bitcoin.

Note: We do provide that information for education purposes. We will not promote making money for ransomware or partnering with the criminals behind the attack.

What makes Paradise difficult to disregard after it has joined itself to a PC or network is that it targets significant productivity records: documents, images, and videos with extensions comprising .xls, .docx, .pdf, and .doc. This ransomware is a danger for all the versions of Windows from Windows 7 to Windows 10. 

How does Paradise work?

Paradise first uses spam phishing emails to reach the people it has selected. This email should include an attachment to IQY. What also separates Paradise from all other malware threats is that this is the first to be using this kind of file and has never historically received much interest from the information security community.

IQY is not a file form widely used during the campaigns of phishing. This is a unique option, as it only includes URLs and not payloads. Downloading commands in the form of Excel formulas that can use cmd, PowerShell, and other LolBins (Living Off-the-land Binaries) to manipulate system processes may be leveraged.

The way that the files of IQY use URLs makes it harder for cybersecurity groups to manage this danger, as they may utilize a web service for third-party URL reputation to efficiently react to it. Besides being the first assault vector, Paradise can also utilize the IQY to work different assault activities in the facilitation of the assault campaign. 

As described above, the primary Paradise infection resulted from a spam phishing email in which the user uploaded the IQY script. When that occurs, Paradise unwraps itself with a new spot in the memory of the infected machine with self-injection and substitutes an executable with the unwrapped malware. Paradise at that point attempts to restrict Windows Defender by changing the Disable Anti Spyware’s registry value. 

Paradise then looks for procedures that include particular strings and tries to kill them. It is a standard ransomware operation because it frees the handles from sensitive files in order to encrypt them. This then utilizes the leveraged energy of the Salsa20 crypto-routine function to encrypt essential data — thus demonstrating another Paradise evasion function. As the URLs are incorporated with the source code and not subject to depending upon a library of crypto to call functions, this makes it difficult for the groups of cybersecurity to recognize it.

Upon locking of valuable files, Paradise releases a malicious code into the shared folder the encrypted data. Typically the ransom note is called —= %$$$$OPEN ME UP$$$==.txt. That’s just another deviation from the normal operating procedure characteristic of ransomware, which typically drops a message on the screen of the infected computer.

How to prevent Paradise

Also by conventional cybersecurity group criteria, Paradise is not well known and as such takes a little knowledge to avoid it. Security tools do not filter IQY files because they have legitimate business uses which frustrate preventative measures to some degree. URL reputation providers can help security teams solve this problem because usually malicious URLs load the IQY.

Aside from organizational security teams reconfiguring their strategy to malware to properly control the threat to Paradise, there are various online deletion tools available for Paradise, they are only successful against several variants. Although these techniques can help you eliminate the threat, avoiding being infected in the first place is much better.

The easiest way to escape Paradise is to provide users in companies with good cybersecurity training that will fairly quickly deter Paradise from getting a foothold in the network and devices in your company. The same solution to spam phishing emails that you discuss in your preparation will go a long way in Paradise prevention. Some information security certifications are also useful against Paradise prevention.

Paradise will encrypt sensitive files and ransom requests from affected users. What separates it from other ransomware (apart from the ironic title) is the use of IQY files to hack computers: because this software has valid business purposes, e-mail protection systems will not keep it out.

Leave a Reply

Your email address will not be published. Required fields are marked *