Severity scale:  
  (95/100)

Paradise ransomware virus. How to remove? (Uninstall guide)

removal by Julie Splinters - - | Type: Ransomware

Paradise virus is a file-encrypting malware that was updated on August 2018

The sample of Paradise ransomware
Paradise ransomware - a malicious program that is designed to encrypt files on the affected machine

Questions about Paradise ransomware virus

Paradise ransomware is not a typical file-encrypting virus. It does not only encrypts files using RSA-2048 cryptography on victim's computer but operates as ransomware-as-a-service (RaaS)[1] too. The original version of the virus appends .paradise file extension to the targeted data. However, it has been updated several times, so its variants append one of these extensions: [id-].[yourencrypter@protonmail.ch].b29; .{help@badfail.info}.paradise; .sell; .ransom; .logger; and _V.0.0.0.1{paradise@all-ransomware.info}.prt. Once it's done, malware delivers ransom-demanding instructions in PARADISE_README_help@badfail.info.txt, #Decrypt My Files#.txt, #DECRYPT MY FILES# .html or PARADISE_README_paradise@all-ransomware.info.txt files.

Summary
Name Paradise
Type Ransomware
Danger Level High. Makes system changes, can install malicious components, encrypts files.
Symptoms Inability to open files due to the unknown extension, programs or files are installed on the computer, general slowness of the machine.
Cryptography RSA-2048
File Extensions .paradise, .sell, .ransom, .logger,  _V.0.0.0.1{paradise@all-ransomware.info}.prt, .{help@badfail.info}.paradise, [id-].[yourencrypter@protonmail.ch].b29
Ransom note #Decrypt My Files#.txt, #DECRYPT MY FILES# .html, PARADISE_README_paradise@all-ransomware.info.tx, ID_CLIENT_help@badfail.info.txt, PARADISE_README_help@badfail.info.txt

Nevertheless, Paradise ransomware operates as RaaS; its activity is still quite low, the fact that it is distributed as RaaS might be an ominous sign since other less experienced crooks might pick up the code and boost its distribution. However, during its lifetime, researchers haven't detected its dangerous variants. Though, developers released a new version themselves.

Paradise ransomware encrypted files
Paradise ransomware makes files useless by encrypting them with RSA cryptography

However, the original version of Paradise malware encodes data with the RSA-2048 algorithm[2] and appends .paradise or other file extensions along with the email referrer, e.g., sample1.jpg[random characters].[info@decrypt.ws].paradise. Additionally, malware overwrites the RSA key which was used for data encryption with a master key and leaves the new file %UserProfile%\DecriptionInfo.auth. Though data recovery becomes nearly impossible without backups.

Paradise ransomware wallpaper
Paradise ransomware changes affected computer's wallpaper

Following the encryption, ransomware launches a black wallpaper with a few words:

All your files were encrypted!
For more information read: #_decrypt_$#.txt
By Paradise

The mentioned file is a ransom note where crooks urge victims to pay as soon as possible since the price directly depends on how fast they will contact the perpetrators. However, the final deadline is 36 hours. Victims are asked to contact authors of Paradise virus using on the following emails:

  • tankpolice@aolonline.top
  • edinstveniy_decoder@aol.com
  • info@decrypt.ws
  • paradise@all-ransomware.info
  • paradise@all-ransomware.info

Paradise virus ransom note
Paradise virus delivers a ransom note where victims are informed about a necessity to pay the ransom.

Cyber criminals also grant a chance to decrypt a couple of files for free. However, such promises should not be trusted.[3] It might be the only files that you managed to get after the virus attack. Thus, it's better to remove Paradise from the computer and use backups or alternative recovery solutions.

Paradise ransomware payment website
Paradise ransomware has an official payment website.

Regarding the latter email address, it is possible to assume that that the malware is related to BTCWare family of ransomware threats as one of the subsidiary versions, Master virus, delivers the same email address. If that is the case, then there are chances that free BTCWare decrypter might be of use in dealing with this cyber threat. However, in order to try this tool, you have to remove Paradise ransomware from the computer first.

We want to discourage you from manual Paradise virus removal because it may lead to irreparable damage to the system. Malware consists of countless files, might bring other malware to the system and affect legit Windows processes. Hence, only reputable security software, such as Reimage or Plumbytes Anti-MalwareMalwarebytes Malwarebytes, can help to clean the PC. 

Paradise virus was updated in March 2018

Paradise malware has never been among the most dangerous cyber threats. However, developers of ransomware decided to come back with a new version. Security experts uncovered that in early March the new virus version started appending [id-].[support@all-ransomware.info].sell file extension. Later that month, two more extensions were added – [id-].[].ransom and [id-].[].logger.

Paradise ransomware new payment site
Authors of Paradise ransomware updated a ransom payment website

However, these versions still use the same unbreakable encryption method. Hence, only backups can help to fully survive after Paradise virus attack. Following the encryption, it also delivers a ransom note called #DECRYPT MY FILES# .html. Crooks ask to pay the ransom in Bitcoins:

WHAT HAPPENED!
Your important files produced on this computer have been encrypted due a security problem.
If you want to restore them, write to us by email.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.

FREE DECRYPTION AS GUARANTEE!
Before payment you can send us 1-3 files for free decryption.Please note that files must NOT contain valuable information. The file size should not exceed 1MB. As evidence, we can decrypt one file.

Despite the fact that newest versions are not decryptable too, instead of paying the ransom, get rid of Paradise virus. Third-party tools might help to decrypt your files. Additionally, researchers might soon create a decryptor which might help you with data recovery too. You can find removal guide and data recovery instructions at the end of the article.

Authors of Paradise ransomware present a new version in June 2018

After a few months since the last update, developers of Paradise virus came back with a new version. The cryptography and operation mechanism do not seem to change a lot compared to the previous versions. However, the significant feature of malware is new file-extension.

Paradise ransomware new version
A new variant of Paradise ransomware uses a new file extension and email address to communicate with victims

Since June 2018, ransomware has been spotted adding V.0.0.0.1{paradise@all-ransomware.info}.prt file extension to documents, multimedia, databases, and other popular files that are stored on the affected machine. Soon after the encryption, it also delivers a ransom note in PARADISE_README_paradise@all-ransomware.info.txt which gives the following information:

To decrypt your files contact us by email — paradise@all-ransomware.info and paradise@all-ransomware.info
Your user id: [redacted]

with respect Ransomware Paradise Team

No matter how respectful malware creators try to be, you should not contact them and follow their data recovery instructions. They will ask to pay in Bitcoins or other cryptocurrencies for the decryptor that might not even exist. Therefore, it is highly recommended to get rid of Paradise ransomware instead of dealing with cyber criminals. After virus removal, you can try various third-party tools or use your own backups and restore encrypted files.

Strategies used for ransomware distribution

Mostly, ransomware threats are spread via multiple methods:

  • spam emails
  • trojans
  • corrupted apps and browser extensions
  • exploit kits[4]

Ransomware is most likely to infiltrate the computer after opening an obfuscated email attachment. Therefore, you have to be vigilant and avoid opening each received email. Always make sure that you were supposed to receive it and there are no hints that it was sent by criminals.

Malware executable might also spread as fake programs or updates. Such content might be available in shady file-sharing sites, torrents or pop-up on the screen in the form of online ad. Hence, use only reliable sources for downloads and updates.

Finally, keep all the programs and operating system up-to-date. Malware might take advantage of security flaws and get into the system. Additionally, install a reputable antivirus and create backups – they will be very important in case of the attack.

Instructions on how to get rid of Paradise virus and recover data

In order to remove Paradise virus from Windows, you will need to scan the device with anti-virus and malware elimination utilities. We recommend using Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes. In case you cannot access them or they do not respond, reboot the system in Safe mode.

After Paradise ransomware removal is completed, you may attempt to decode data with alternative security applications and backups[5]. French user[6] should be wary of the threat as it is likely to target them more actively.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove Paradise virus, follow these steps:

Remove Paradise using Safe Mode with Networking

Restart the device in Safe mode to launch the security tool and eliminate Paradise malware.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Paradise

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Paradise removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Paradise using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Paradise. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Paradise removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Paradise from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Paradise, you can use several methods to restore them:

The benefits of Data Recovery Pro

This tool is specifically created to restore damaged files after a system crash, but you may try it to recover your files encrypted by Paradise crypto-virus.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Paradise ransomware;
  • Restore them.

Will Shadow Explorer help restore files?

The key advantage of the software is its ability to use shadow volume copies for data recovery. Since there is no information whether the virus deletes the copies beforehand, you may stand a chance.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Paradise Decrypter

Bear in mind that if you purchase the decryption software offered by the ransomware developers, it may only create more system vulnerabilities benefitting a future hijack.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Paradise and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions

References