This ransomware campaign has just returned with a new trick

Paradise ransomware is back again - and the criminals behind it appear to be testing out new tactics ahead of what could be a more prolific campaign.
Written by Danny Palmer, Senior Writer

A ransomware campaign has returned with a new trick to fool the unwary into compromising their network with file-encrypting malware. And it's an attack that many Windows machines won't even recognise as potentially malicious.

The new variant of Paradise ransomware, which has been active in one form or another since 2017, spreads via phishing emails, but it's different from other ransomware campaigns because it uses an uncommon – but effective – file type to infiltrate the network.

This campaign leverages Internet Query files (IQY), which are text files read by Microsoft Excel to download data from the internet. IQY is a legitimate file type, so many organisations won't block it.

But cybersecurity researchers at Lastline have uncovered a campaign taking advantage of this to spread Paradise ransomware to targeted organisations.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) 

"We're seeing attacks using IQY files because many commodity security products and automated systems do not, or cannot, parse these file types. Attackers realize they have a very good chance of making it past rudimentary defenses," Richard Henderson, head of global threat intelligence at Lastline, told ZDNet. 

The initial phishing messages are designed to look commercial in nature and encourage users to open an IQY attachment. If the victim does this, the IQY file connects to the command and control server run by the attackers, which in turn will drop a PowerShell command that's used to execute the ransomware on the machine.

Once files are encrypted the victim is presented with a ransom demand – to be paid in cryptocurrency – in exchange for return to access to the network.

In an effort to further understand the attack, researchers attempted to communicate with the cyber criminals through the chat 'support' channel they offer for negotiating access to a decryptor – although they never received a reply, indicating that the current campaign might only be a test run for more expanded distribution of the new version of Paradise.

"Malware authors will often deploy malware that isn't quite ready for prime time yet – they want to see how successful early versions of a new campaign are and how detectable their malware is against security products," said Henderson.

The lack of 'support' response infers that they are still working out the kinks, and are trying to figure out the best ways for them to make money he added.

Cybersecurity researchers released a free decryption tool for a previous version of Paradise, but it appears that those behind the attacks are still pushing on.

It's not known what sort of cyber criminal operation is behind Paradise, although researchers note that the ransomware won't install on a machine if it detects the language ID as Russian, Kazakh, Belarusian, Ukranian, or Tatar.

SEE: 30 years of ransomware: How one bizarre attack laid the foundations for the malware taking over the world

Ransomware continues to plague organisations across the world, with cyber criminals successfully demanding ransom payments worth hundreds of thousands of dollars in bitcoin on a regular basis.

However, one way in which organisations can avoid giving into the demands of cyber criminals – even if they fall victim to ransomware – is by making sure they have regularly updated offline backups of their systems, so if the worst happens, there's a fall-back option.

Organisations can also go a long way to protecting themselves from ransomware and other malware attacks by regularly applying the appropriate security patches, thus avoiding the possibility of known vulnerabilities in software being exploited by attackers as a means of compromising the network.


Editorial standards