Ransomware Research

Paradise Ransomware

Paradise is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on September 1, 2017, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Paradise unencrypted, Paradise decrypted, Paradise .NET, Paradise 2020.

Quick Facts

Ransomware Family
Paradise
First Seen
September 1, 2017
Known Aliases
Paradise unencryptedParadise decryptedParadise .NETParadise 2020

How Paradise Ransomware Works

Targeted Files

https://app.any.run/tasks/e8875c32-a941-4a87-9ac9-104ca95a03f0/ https://tria.ge/220122-rjrz5abee4 https://www.bleepingcomputer.com/forums/t/668228/help-to-identify-maybe-new-ramsonware/ https://tria.ge/200903-czcarhcgr2 https://app.any.run/tasks/02be35ac-0ff6-4a4f-a766-6e81c9634c29/ https://www.bleepingcomputer.com/forums/t/706918/identify-randsome/ https://app.any.run/tasks/dfcdc623-3749-4cd8-a30d-f8dfb2c8efc5 Full extension -> [id-XXXXXXXX].[paradise@all-ransomware.info].PRT -> _ID_{corebitp@cock.li}.bitcore

File Encryption Patterns

Paradise modifies encrypted files using specific patterns to mark them as encrypted:

File extensions added after encryption:

..ransom..NewCore..{admin@prt-decrypt.xyz}.xyz..logger..sev..paradise..sell..prt..b29..VACv2..CORP..STUB..p3rf0rm4..securityP..Recognizer..exploit..sambo..junior..safe..kiss..2k19sys..bitcore..b1..rdp..payload..ebal..njkwe..777..FC..iskaluz..honkai._decryptor_{Pyigxu}.tor..immortal..2k19cry..r00t..mak._Kim Chin Im_{YyKVuO}.Im

Ransom Note and Payment Demands

After encrypting files, Paradise displays ransom notes demanding payment for file recovery:

file#DECRYPT MY FILES#.txt

Ransom message:

notes/#DECRYPT MY FILES#.txt

Note locations:

EveryFolder
file#DECRYPT MY FILES#.html

Ransom message:

notes/#DECRYPT MY FILES#.html

Note locations:

EveryFolder
fileKEY BACKUP.txt
filePARADISE_README_paradise@all-ransomware.info.txt

Ransom message:

notes/PARADISE_README_paradise@all-ransomware.info.txt

Note locations:

EveryFolder
file/^#DECRYPT MY FILES# [a-zA-Z0-9]{8}\.html$/

Ransom message:

notes/#DECRYPT MY FILES# vN6YLGIr.html
file$%%! NOTE ABOUT FILES -=!-.html
fileInstructions with your files.txt

Ransom message:

notes/Instructions with your files.txt

Note locations:

EveryFolder
file%= RETURN FILES =&.html

Ransom message:

notes/%= RETURN FILES =&.html

Note locations:

EveryFolder
file=_BACK_FILES_~.html
file%$ BACK FILES !#.html
file---%$$$OPEN_ME_UP$$$---.txt

Ransom message:

notes/---%$$$OPEN_ME_UP$$$---.txt
file-=###_INFO_you_FILE_###=-.txt

Ransom message:

notes/-=###_INFO_you_FILE_###=-.txt

Note locations:

EveryFolder
file$%%! NOTE ABOUT FILES -=!-.html

Ransom message:

notes/$%%! NOTE ABOUT FILES -=!-.html

Note locations:

EveryFolder
file---==%$$$OPEN_ME_UP$$$==---.txt

Ransom message:

notes/---==%$$$OPEN_ME_UP$$$==---.txt

Note locations:

EveryFolder
file/^[a-zA-Z0-9]{20,30}\.hta$/

Ransom message:

notes/A3QloxkZlkV7avmKdHILo5qUEQez.hta

Note locations:

StartUp
file$&#~! README =$-!=.html
file%%_WHERE_MY_FILES_=#.html

Ransom message:

notes/%%_WHERE_MY_FILES_=#.html

Note locations:

EveryFolder
file—==%$$$OPEN_ME_UP$$$==—.txt

Note locations:

EveryFolder
filenooode.txt

Ransom message:

notes/nooode.txt

Technical Indicators

Associated Executable Files

The following executable files are associated with Paradise ransomware:

  • DP_Main.exe
  • DP_Main.exe1
  • dp_main.exe
  • myfile.exe
  • badfail.exe
  • paradise.exe
  • 726q.exe
  • 8gfg.exe
  • Paradise Ransomware.exe
  • Paradise.exe
  • Bg1B.exe
  • v9_40_.exe
  • TT.exe
  • v4_40_.exe
  • 1.EXE.QUARANTINE
  • CLJTNAEPAXCDIWCQBJFGRWM6K.EXE
  • Homeworkhelp
  • Trojan.Ransom.Paradise.exe
  • 4643.exe
  • CV.exe
  • vxjqig.exe
  • uvulko.exe
  • key.exe
  • 4RH207OE.exe
  • blofrWNV.exe

Elastio Can Help You

Don't let Paradise ransomware take over your data

Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.

About This Analysis

This Paradise ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Paradise.

Last updated: July 30, 2025