Paradise ransomware returns in 2020 using unusual attack methodRansom note contentsThreat SummaryRansomware spreads via IQY format filesRemove Paradise ransomware virus nowDecrypt files encrypted by Paradise
Since this ransomware can be purchased and altered by many cybercriminals, some details about the virus differ based on its variant. Currently known variants use r00t{xxxxxx}.RaaS, babyfromparadise{xxxxxx}.777, .fine, .pay, mark{ID}.mak,
Ransom note contents
Paradise ransomware, unlike other crypto-viruses create file called Files.txt, which contains a list of all successfully encrypted files. The Failed.txt contains a list of files that weren’t encrypted due to a failure. Finally, #DECRYPT MY FILES#.txt or —==%$$$OPEN_ME_UP$$$==—.txt is the actual ransom note, which explains that files on the system has been encrypted due to a security problem. In order to restore them, the note suggests writing to email address provided by the criminals. There is no exact ransom price specified – but the criminals express their demand to receive it in Bitcoin cryptocurrency. As usual, the ransomware creators suggest decrypting three files for free. This is done in order to prove that it is “worth” paying the ransom. Finally, the note advises not to rename the affected files or try to decrypt them using third-party software. Next, the virus may also display a pop-up window with the same message as stated in the ransom note. Some variants of this ransomware will leave not a text, but a HTML file format ransom note such as #DECRYPT MY FILES#.html. The note contains personal ID, key, brief explanation of what happened and instructions on how to test the decryption on 1-3 files. The ransomware might also change your desktop’s wallpaper. This change depends on the virus’ variants you’re infected with. Good news is that some variants of this ransomware are decryptable. Therefore, if you have become a victim of this virus’ attack, remove Paradise ransomware virus as soon as possible. Please check the instructions provided by our team, then follow the decryption information provided.
Threat Summary
Ransomware spreads via IQY format files
Starting in March 2020, Paradise ransomware begins attacking victims using a new file type in the malicious spam campaigns – Excel Web Query attachments, also known as IQY file format. The spam campaign is designed to send fake orders, offers or keys. Once opened, the malicious IQY attachment will connect to a malicious URL with PowerShell ocmmands which download and run Paradise ransomware payload. The inspected malicious IQY files contains only a few lines instructing to retrieve some information from web. To be specific, it contains the exact URL to connect to. The URL contains Excel formula to launch a Powershell command to download and launch key.exe program. This program is, in fact, the Paradise ransomware itself. This is a new case when criminals use such file format- victims are also easily believe that it is safe, as it is common to believe viruses can spread in .exe, .doc or .pdf format only. We’d like to remind you to avoid opening suspicious emails and especially links or attachments in them. You might not notice anything after opening it – however, once you close your web browser window, you’ll soon notice that all your files on desktop are modified and cannot be opened. However, you also need to be aware that ransomware viruses such as STOP/DJVU use slightly different attack vectors, such as malicious online downloads. Therefore, be very careful about what you decide to download from the Internet.
Remove Paradise ransomware virus now
An easy way to remove Paradise ransomware virus is explained below. In short, you’ll need to boot your PC in Safe Mode, then run a trustworthy malware elimination tool to delete all traces of malware instantly. Make sure to run a full and not quick scan. Paradise ransomware removal gives you a clean and safe environment, which is essential to import your data backup and start restoring your files without causing further damage. In case you did not have any data backups, you can check the decryption guide provided below the removal instructions. OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.
Alternative software recommendations
Malwarebytes Anti-Malware
Method 1. Enter Safe Mode with Networking
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it: Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10 users Now, you can search for and remove PARADISE Ransomware files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO Antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future. Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Decrypt files encrypted by Paradise
Victims of this ransomware can decrypt Paradise files by using Emsisoft decryption tool, or Bitdefender decryptor. The Bitdefender tool is capable of restoring files that have been modified and extended with the following extension variants: .FC, . 2ksys19, . p3rf0rm4, . Recognizer, . VACv2, . paradise, . CORP, .immortal, . exploit, . prt, . STUB, . sev, . sambo Please go to Bitdefender’s official website for instructions how to use the decryption tool, and download it from there. Emsisoft’s tool is capable of restoring files with .paradise, 2ksys19, .p3rf0rm4, .FC, .CORP, and .STUB. To use Paradise decryption tool, go to the official website of Emsisoft, read the detailed usage guide, and download the tool from there.
