Ransomware Research
Paradise Ransomware
Paradise is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on September 1, 2017, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Paradise unencrypted, Paradise decrypted, Paradise .NET, Paradise 2020.
Quick Facts
- Ransomware Family
- Paradise
- First Seen
- September 1, 2017
- Known Aliases
- Paradise unencryptedParadise decryptedParadise .NETParadise 2020
How Paradise Ransomware Works
Targeted Files
https://app.any.run/tasks/e8875c32-a941-4a87-9ac9-104ca95a03f0/ https://tria.ge/220122-rjrz5abee4 https://www.bleepingcomputer.com/forums/t/668228/help-to-identify-maybe-new-ramsonware/ https://tria.ge/200903-czcarhcgr2 https://app.any.run/tasks/02be35ac-0ff6-4a4f-a766-6e81c9634c29/ https://www.bleepingcomputer.com/forums/t/706918/identify-randsome/ https://app.any.run/tasks/dfcdc623-3749-4cd8-a30d-f8dfb2c8efc5 Full extension -> [id-XXXXXXXX].[paradise@all-ransomware.info].PRT -> _ID_{corebitp@cock.li}.bitcore
File Encryption Patterns
Paradise modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..ransom..NewCore..{admin@prt-decrypt.xyz}.xyz..logger..sev..paradise..sell..prt..b29..VACv2..CORP..STUB..p3rf0rm4..securityP..Recognizer..exploit..sambo..junior..safe..kiss..2k19sys..bitcore..b1..rdp..payload..ebal..njkwe..777..FC..iskaluz..honkai._decryptor_{Pyigxu}.tor..immortal..2k19cry..r00t..mak._Kim Chin Im_{YyKVuO}.ImRansom Note and Payment Demands
After encrypting files, Paradise displays ransom notes demanding payment for file recovery:
#DECRYPT MY FILES#.txtRansom message:
notes/#DECRYPT MY FILES#.txt
Note locations:
EveryFolder#DECRYPT MY FILES#.htmlRansom message:
notes/#DECRYPT MY FILES#.html
Note locations:
EveryFolderKEY BACKUP.txtPARADISE_README_paradise@all-ransomware.info.txtRansom message:
notes/PARADISE_README_paradise@all-ransomware.info.txt
Note locations:
EveryFolder/^#DECRYPT MY FILES# [a-zA-Z0-9]{8}\.html$/Ransom message:
notes/#DECRYPT MY FILES# vN6YLGIr.html
$%%! NOTE ABOUT FILES -=!-.htmlInstructions with your files.txtRansom message:
notes/Instructions with your files.txt
Note locations:
EveryFolder%= RETURN FILES =&.htmlRansom message:
notes/%= RETURN FILES =&.html
Note locations:
EveryFolder=_BACK_FILES_~.html%$ BACK FILES !#.html---%$$$OPEN_ME_UP$$$---.txtRansom message:
notes/---%$$$OPEN_ME_UP$$$---.txt
-=###_INFO_you_FILE_###=-.txtRansom message:
notes/-=###_INFO_you_FILE_###=-.txt
Note locations:
EveryFolder$%%! NOTE ABOUT FILES -=!-.htmlRansom message:
notes/$%%! NOTE ABOUT FILES -=!-.html
Note locations:
EveryFolder---==%$$$OPEN_ME_UP$$$==---.txtRansom message:
notes/---==%$$$OPEN_ME_UP$$$==---.txt
Note locations:
EveryFolder/^[a-zA-Z0-9]{20,30}\.hta$/Ransom message:
notes/A3QloxkZlkV7avmKdHILo5qUEQez.hta
Note locations:
StartUp$&#~! README =$-!=.html%%_WHERE_MY_FILES_=#.htmlRansom message:
notes/%%_WHERE_MY_FILES_=#.html
Note locations:
EveryFolder—==%$$$OPEN_ME_UP$$$==—.txtNote locations:
EveryFoldernooode.txtRansom message:
notes/nooode.txt
Technical Indicators
Associated Executable Files
The following executable files are associated with Paradise ransomware:
DP_Main.exeDP_Main.exe1dp_main.exemyfile.exebadfail.exeparadise.exe726q.exe8gfg.exeParadise Ransomware.exeParadise.exeBg1B.exev9_40_.exeTT.exev4_40_.exe1.EXE.QUARANTINECLJTNAEPAXCDIWCQBJFGRWM6K.EXEHomeworkhelpTrojan.Ransom.Paradise.exe4643.exeCV.exevxjqig.exeuvulko.exekey.exe4RH207OE.exeblofrWNV.exe
Elastio Can Help You
Don't let Paradise ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This Paradise ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Paradise.
Last updated: July 30, 2025