The Paradise Ransomware source code was released on a hacking forum and may be used by any aspiring hacker to create their own customized ransomware operation.
Only active members who have previously replied to or reacted to other posts on the site have access to the source code that was disclosed on the hacker forum XSS.
Tom Malka of Security Joes discovered three executables when he built the source code package: a ransomware configuration builder, an encryptor, and a decryptor.
Russian comments can be found throughout the source code, indicating the developer’s native tongue.
The developer allows a Paradise ransomware affiliate to create their own version of the ransomware, complete with a personalized command and control server, encrypted file extension, and contact email address.
Affiliates can distribute customized ransomware in their campaigns to target victims after building it.
The Paradise Malware operation began in September 2017 with the use of phishing emails with malicious IQY files that downloaded and installed the ransomware.
Multiple versions of the ransomware have been released since then, with early versions featuring weaknesses that prompted the development of a Paradise Ransomware decryptor.
The encryption mechanism was modified to RSA in the later versions, which precluded free file decryption.
It’s unclear if the various versions of Paradise that were released were all created by the same organisation because they all circulated at approximately the same time with thousands of different extensions.
The Paradise Ransomware was widely circulated between September 2017 and January 2020, before dramatically decreasing to the point where it is now rarely observed.
The source code for the secure version of Paradise Ransomware, which encrypts files with RSA encryption, has been provided.
Aspiring threat actors can readily adapt this source code to release their own modified form of the ransomware, making it a simple entry point into starting a new ransomware operation.