Event Overview
Recently, NSFOCUS CERT, through ongoing monitoring, found that the source code of the Paradise ransomware was leaked. Since data encrypted by Paradise cannot be decrypted now, the source code, if widely spread over the Internet, may cause a lot of trouble.
Paradise had its source code leaked on a Russian hacker forum on the dark web on June 12, becoming the second mainstream ransomware linked with such an event, following Dharma whose source code was disclosed in 2020.
Evolution of Paradise
First spotted in September 2017, Paradise was distributed via the ransomware-as-a-service (RaaS) model. At first, it was spread through links and attachments in phishing emails, mainly targeting individual end users and small enterprises. Its ransom note was typically as follows:
In October 2019, the new version of Paradise, which used Salsa20 and RSA-1024 to encrypt files with such extensions as .paradise, .2ksys19, .p3rf0rm4, and .FC, was decrypted by Emsisoft, a New Zealand-based security vendor. The company then released a decryption tool, which is available at the following link:
https://www.emsisoft.com/ransomware-decryption-tools/download/paradise
Subsequently, the Paradise operator updated the virus, which, however, was decrypted again by Bitdefender in January 2020. The decryption tool is available at the following link:
https://labs.bitdefender.com/wp-content/uploads/downloads/paradise-ransomware-decryptor/
The ransom note of the new version is as follows:
Throughout the year 2020, Paradise became obviously less active. The last time when the sample was spotted was January 2021. Presumably, the project has been given up.
The following figure shows statistics about Paradise submissions on a malware platform.
Paradise versions in 2017–2020:
- Paradise: initial version, which could be decrypted because of an encryption vulnerability
- Paradise.NET: a secure .net version using RSA to encrypt files
- ParadiseB29: a variant used by a “team” that encrypts only the end of a file
Source Code Analysis and Verification
1. Builder: DP_Builder
The code disclosed this time is for the builder of the Paradise ransomware, DP_Builder, which can be used to build a whole package of Paradise, including the main program, decrypter, and a private key generator.
The following figure shows the interface of DP_Builder after being compiled and executed.
- Click Generate to generate a random RSA encryption vector.
- Extension of the encrypted file name (translated from Russian).
- Server address of the ransomware, used for information collection.
- Admin key, irrelevant to encryption and used for identifying the builder user.
Values typed for Site and Admin key are saved in Server.info. When executed again, the builder will read from this file and use these values to automatically populate the fields.
If Server.info exists, the interface of DP_Builder is as follows:
1 and 2 are two email addresses (presumably, one is displayed to victims and the other is for web authentication). 3 is for entry of a contact method for the license and encrypted file extensions.
Clicking Create build, you have the ransomware compiled and built, including the main program, decrypter, and private key generator.
The code for the main program, decrypter, and private key generator is stored in the resource file of DP_Builder. Each time the package is created, random 1024-bit RSA keys are generated and the private key is built into the ransomware. This promises a certain level of encryption security.
The source code of the three programs previously built can be obtained with the .NET decompilation tool.
2. Encrypter: DP_Main
DP_Main.cs is the main program of the ransomware. It provides typical ransomware functions, including encrypting disk files, copying itself to a temporary directory, modifying the registry for automatic running at startup, and deleting volume shadow backups.
2.1 Use of RSA to Encrypt Files
DP_Builder hardcodes variables, such as the RSA public key and iv, into the program.
The program starts count statistics and attempts to run as admin.
The ransomware, when running, checks whether the previously generated key file exists. If yes, it directly encrypts the file.
During the first running, a new RSA key pair is created for encrypting files. The built-in RSA public key is used to encrypt and store the newly generated RSA private key used for file encryption.
The main code is as follows, showing that registry modification and volume shadow backup deletion are conducted only during the first running:
The SavePrivateKey function encrypts the private key for encryption. This private key is required for decrypting files. However, it is encrypted with the MasterRSA public key, and the MasterRSA private key is in the hands of attackers. This way, files cannot be decrypted until ransom is paid.
