This free ransomware decryption tool just got a handy update

Victims of Paradise ransomware can now retrieve even more encrypted files because researchers have updated a tool that is already denying cyber criminals ransom payments.
Written by Danny Palmer, Senior Writer

A free decryption tool for a form of ransomware that has plaguing victims since 2017 has just been updated with additional capabilities to make it more effective at returning encrypted files – without the need to give into the demands of cyber criminals.

Paradise ransomware typically arrives in a malicious document attached to a phishing email, which if executed will encrypt the victim's files. Crooks then demand a ransom paid in bitcoin for their return.

Extensions of files locked with Paradise typically include  ".paradise", ".2ksys19", ".p3rf0rm4", and ".FC" – and the ransomware can also encrypt backups in a move designed to ensure that the victim gives in and pays the ransom.

SEE:  A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

Security researchers at Emsisoft first released a free decryption tool for Paradise ransomware in November last year – and now they've updated it with additional capabilities to make it even more effective. Now the Paradise ransomware decryption tool can also decrypt files locked with ".stub", ".corp" and ".vacv2" extensions.

The decryption tool can be downloaded directly from Emsisoft – which, as of January 2020, has been downloaded over 11,000 times. The Paradise decryptor is also downloadable via Europol's 'No More Ransom' portal.

Paradise is sold to prospective criminal users 'as-a-service', providing those distributing it in their own campaigns with a simple means of deploying attacks and collecting ransoms – with the original authors taking a cut of any ransoms that are paid.

Researchers at Bitdefender – who've also released a free decryptor for Paradise – note that when executed on a Windows machine, the ransomware will check whether the keyboard language is set to Russian, Kazakh, Belarus or Ukrainian. If this is the case, the ransomware won't encrypt files and exits the system, something that likely points to the authors being from somewhere in this part of the world.

SEE: 30 years of ransomware: How one bizarre attack laid the foundations for the malware taking over the world

While victims of Paradise have the option to retrieve their encrypted files for free, ransomware remains successful because despite warnings from the authorities not to, a significant number of those organisations that fall foul of ransomware opt to give into the extortion demands of cyber criminals.

In many cases, organisations revert to this because they don't have backups – or the ransomware has also encrypted their backups as part of the attack – and want to get their operations resumed as soon as possible. However, by making sure they have regularly updated offline backups of their systems, organisations can avoid falling victims to this kind of malware.


Editorial standards