- Home
Detectable Ransomware Paradise
Ransomware Research
Paradise Ransomware
Paradise is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on September 1, 2017, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Paradise unencrypted, Paradise decrypted, Paradise .NET, Paradise 2020.
Quick Facts
- Ransomware Family
- Paradise
- First Seen
- September 1, 2017
- Known Aliases
- Paradise unencryptedParadise decryptedParadise .NETParadise 2020
How Paradise Ransomware Works
Targeted Files
https://app.any.run/tasks/e8875c32-a941-4a87-9ac9-104ca95a03f0/ https://tria.ge/220122-rjrz5abee4 https://www.bleepingcomputer.com/forums/t/668228/help-to-identify-maybe-new-ramsonware/ https://tria.ge/200903-czcarhcgr2 https://app.any.run/tasks/02be35ac-0ff6-4a4f-a766-6e81c9634c29/ https://www.bleepingcomputer.com/forums/t/706918/identify-randsome/ https://app.any.run/tasks/dfcdc623-3749-4cd8-a30d-f8dfb2c8efc5 Full extension -> [id-XXXXXXXX].[paradise@all-ransomware.info].PRT -> _ID_{corebitp@cock.li}.bitcore
File Encryption Patterns
Paradise modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..ransom
..NewCore
..{admin@prt-decrypt.xyz}.xyz
..logger
..sev
..paradise
..sell
..prt
..b29
..VACv2
..CORP
..STUB
..p3rf0rm4
..securityP
..Recognizer
..exploit
..sambo
..junior
..safe
..kiss
..2k19sys
..bitcore
..b1
..rdp
..payload
..ebal
..njkwe
..777
..FC
..iskaluz
..honkai
._decryptor_{Pyigxu}.tor
..immortal
..2k19cry
..r00t
..mak
._Kim Chin Im_{YyKVuO}.Im
Ransom Note and Payment Demands
After encrypting files, Paradise displays ransom notes demanding payment for file recovery:
#DECRYPT MY FILES#.txt
Ransom message:
notes/#DECRYPT MY FILES#.txt
Note locations:
EveryFolder
#DECRYPT MY FILES#.html
Ransom message:
notes/#DECRYPT MY FILES#.html
Note locations:
EveryFolder
KEY BACKUP.txt
PARADISE_README_paradise@all-ransomware.info.txt
Ransom message:
notes/PARADISE_README_paradise@all-ransomware.info.txt
Note locations:
EveryFolder
/^#DECRYPT MY FILES# [a-zA-Z0-9]{8}\.html$/
Ransom message:
notes/#DECRYPT MY FILES# vN6YLGIr.html
$%%! NOTE ABOUT FILES -=!-.html
Instructions with your files.txt
Ransom message:
notes/Instructions with your files.txt
Note locations:
EveryFolder
%= RETURN FILES =&.html
Ransom message:
notes/%= RETURN FILES =&.html
Note locations:
EveryFolder
=_BACK_FILES_~.html
%$ BACK FILES !#.html
---%$$$OPEN_ME_UP$$$---.txt
Ransom message:
notes/---%$$$OPEN_ME_UP$$$---.txt
-=###_INFO_you_FILE_###=-.txt
Ransom message:
notes/-=###_INFO_you_FILE_###=-.txt
Note locations:
EveryFolder
$%%! NOTE ABOUT FILES -=!-.html
Ransom message:
notes/$%%! NOTE ABOUT FILES -=!-.html
Note locations:
EveryFolder
---==%$$$OPEN_ME_UP$$$==---.txt
Ransom message:
notes/---==%$$$OPEN_ME_UP$$$==---.txt
Note locations:
EveryFolder
/^[a-zA-Z0-9]{20,30}\.hta$/
Ransom message:
notes/A3QloxkZlkV7avmKdHILo5qUEQez.hta
Note locations:
StartUp
$&#~! README =$-!=.html
%%_WHERE_MY_FILES_=#.html
Ransom message:
notes/%%_WHERE_MY_FILES_=#.html
Note locations:
EveryFolder
—==%$$$OPEN_ME_UP$$$==—.txt
Note locations:
EveryFolder
nooode.txt
Ransom message:
notes/nooode.txt
Technical Indicators
Associated Executable Files
The following executable files are associated with Paradise ransomware:
DP_Main.exe
DP_Main.exe1
dp_main.exe
myfile.exe
badfail.exe
paradise.exe
726q.exe
8gfg.exe
Paradise Ransomware.exe
Paradise.exe
Bg1B.exe
v9_40_.exe
TT.exe
v4_40_.exe
1.EXE.QUARANTINE
CLJTNAEPAXCDIWCQBJFGRWM6K.EXE
Homeworkhelp
Trojan.Ransom.Paradise.exe
4643.exe
CV.exe
vxjqig.exe
uvulko.exe
key.exe
4RH207OE.exe
blofrWNV.exe
Elastio Can Help You
Don't let Paradise ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This Paradise ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Paradise.
Last updated: July 30, 2025