Ransom.MSIL.PARADISE.J

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files with specific file extensions. It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {Malware Path}\del.bat → Deletes main sample and itself afterwards

It adds the following processes:

• "%System%\cmd.exe" NetSh Advfirewall set allprofiles state off
• "cmd.exe" vssadmin delete shadows /all /quiet → Deletes shadow copies
• "%System%\mshta.exe" "{Malware Path}\how to recover my files.hta"

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Other Details

This Ransomware does the following:

• It executes the following command to disable/stop/delete Windows components:
  
  • "%System%\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
  • "%System%\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
  • "%System%\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  • "%System%\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  • "%System%\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  • "%System%\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  • "%System%\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true
  • "%System%\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• .123
• .3dm
• .3ds
• .3g2
• .3gp
• .602
• .7z
• .accdb
• .aes
• .ARC
• .asc
• .asf
• .asm
• .avi
• .backup
• .bak
• .bat
• .bmp
• .brd
• .bz2
• .c
• .cgm
• .class
• .cmd
• .cpp
• .crt
• .cs
• .csr
• .csv
• .db
• .dbf
• .dch
• .der
• .dif
• .dip
• .djvu
• .doc
• .docb
• .docm
• .docx
• .dot
• .dotm
• .dotx
• .dwg
• .edb
• .eml
• .fla
• .flv
• .frm
• .gif
• .gpg
• .gz
• .h
• .hwp
• .ibd
• .iso
• .jar
• .java
• .jpeg
• .jpg
• .js
• .jsp
• .key
• .lay
• .lay6
• .ldf
• .m3u
• .m4u
• .max
• .mdb
• .mdf
• .mid
• .mkv
• .mml
• .mov
• .mp3
• .mp4
• .mpeg
• .mpg
• .msg
• .myd
• .myi
• .odb
• .odg
• .odp
• .ods
• .odt
• .onetoc2
• .ost
• .otg
• .otp
• .ots
• .ott
• .p12
• .PAQ
• .pas
• .pdf
• .pem
• .pfx
• .phpasp
• .pl
• .png
• .pot
• .potm
• .potx
• .ppam
• .pps
• .ppsm
• .ppsx
• .ppt
• .pptm
• .pptx
• .ps1
• .psdnef
• .pst
• .rar
• .raw
• .rb
• .rtf
• .sch
• .sh
• .sldm
• .sldx
• .slk
• .sln
• .snt
• .sql
• .sqlite3
• .sqlitedb
• .stc
• .std
• .sti
• .stw
• .suo
• .svgai
• .swf
• .sxc
• .sxd
• .sxi
• .sxm
• .sxw
• .tar
• .tbk
• .tgz
• .tif
• .tiff
• .txt
• .uop
• .uot
• .vb
• .vbs
• .vcd
• .vdi
• .vmdk
• .vmx
• .vob
• .vsd
• .vsdx
• .wav
• .wb2
• .wk1
• .wks
• .wma
• .wmv
• .xlc
• .xlm
• .xls
• .xlsb
• .xlsm
• .xlsx
• .xlt
• .xltm
• .xltx
• .xlw
• .zip

It renames encrypted files using the following names:

• {Original Filename}.{Original File Extension}.id={Generated ID}.email=Mr.Perfect@tutamail.com.Viper

It drops the following file(s) as ransom note:

• {Encrypted Directory}\how to recover my files.hta