A new and very dangerous computer virus called Paradise Ransomware is infecting various computers right now. It is classified as a ransomware and can be detrimental to the state of your computer and personal files.
It is a typical ransomware virus by all possible qualities but one – it seems like this virus might be operating as RaaS. RaaS stands for “Ransomware as a Service”. That means all files and infections methods of this virus were developed by a professional programers but they left distribution to someone else. I.e. anyone can purchase a “licence” of Paradise ransomware virus, get an access to all files and instructions how it should be deployed and distribute it itself. It’s kind of an affiliate network between cyber criminals. Profits of ransom payments usually are split between those two parties.
Cyber security experts have examined this particular infection and discovered that it enters computers using hacked Remote Desktop services. When inside of the computer, this virus will restart automatically and run itself as an administrator to be able to perform all needed processes. It is using an unique and extremely powerful RSA cryptography, which is really difficult to decrypt.
Paradise Ransomware will automatically generate an unique RSA-1024 key and encrypt all of your most important files with it. This virus is associated with 3 different email addresses: email@example.com, firstname.lastname@example.org and email@example.com. Either one of them can be used as in the encryption extension which is added to the end of every encrypted file of yours. Paradise ransomware employs complicated extension -id-[affiliate_id].[affiliate_email].paradise. For ex., if you are have a file “text.doc”, after the encryption it might be displayed as “text.docid-487jnasfW.firstname.lastname@example.org”. Once this extension is added to the file, you won’t be able to open it or use in any other reasonable way.
Different from other ransomware infections, encryption process of Paradise ransomware is really slow. That means you can notice it in the process and get ahead of it, before all of your files are encrypted.
If the ransomware successfully encrypts most of the files on your computer, you will spot a new files on every folder called “#DECRYPT MY FILES#.txt”. It is a ransom note – instructions how to pay the ransom and decrypt files. Original text of the message:
Your important files produced on this computer have been encrypted due a security problem
If you want to restore them, write us to the e-mail: email@example.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
[FREE DECRYPTION AS GUARANTEE]
Before paying you can send to us up to 3 files for free decryption.
Please note that files must NOT contain valuable information
and their total size must be less than 1Mb
[HOW TO OBTAIN BITCOINS]
The easiest way to buy bitcoin is LocalBitcoins site.
You have to register, click Buy bitcoins and select the seller by payment method and price
Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss
If you not write on e-mail in 36 hours – your key has been deleted and you cant decrypt your files
Hackers behind Paradise ransomware are offering you to send them 3 encrypted files, so they could decrypt them and prove that they have a method to do that, encouraging you to pay the ransom this way. You are also directed to make a payment via Bitcoins and contact them via given email address.
Now, there are two possible ways to solve Paradise ransomware problem. You can pay the ransom and expect that ransomware developers will keep their promise or restore files from a backup. Unless other ransomware viruses, Paradise is not eliminating shadow volume copies, so if you have any kind of backup file that was made before the encryption, you will be able to restore your system from it. Here’s instructions how to do that: How to restore a system.
- Automatic Paradise Ransomware removal tools
- How to recover Paradise Ransomware encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- Step 2. Complete removal of Paradise Ransomware
- Step 3. Restore Paradise Ransomware affected files using Shadow Volume Copies
- Step 4. Use Data Recovery programs to recover Paradise Ransomware encrypted files
Automatic Paradise Ransomware removal tools
How to recover Paradise Ransomware encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before Paradise Ransomware has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of Paradise Ransomware
After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to Paradise Ransomware. You can check other tools here.
Step 3. Restore Paradise Ransomware affected files using Shadow Volume Copies
If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Paradise Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.
Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.a) Native Windows Previous Versions
Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer
It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover Paradise Ransomware encrypted files
There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download Data Recovery Pro (commercial)
- Install and scan for recently deleted files.
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Important Note: Although it is possible to manually remove Paradise Ransomware, such activity can permanently damage your system if any mistakes are made in the process, as advanced spyware parasites are able to automatically repair themselves if not completely removed. Thus, manual spyware removal is recommended for experienced users only, such as IT specialists or highly qualified system administrators. For other users, we recommend using Reimage or other tools found on 2-viruses.com.