The source code for the Paradise Ransomware has been released on the hacking forum XSS allowing threat actors to develop their own customized ransomware operation. The news of the availability of the source code was first reported by Tom Malka, a senior threat intelligence analyst for security firm Security, that reported it to BleepingComputer and The Record.
Malka compiled the source code and discovered that it creates three executables, the ransomware configuration builder, the encryptor, and a decryptor.
The analysis of the source code revealed the presence of comments in the Russian language that gives us an idea of the origin of the ransomware gang behind it.
Paradise Ransomware has been active since September 2017, its operators offer the malware with a Ransomware-as-a-Service (RaaS) model.
In October 2019, security experts at Emsisoft have developed a tool to decrypt files encrypted by the Paradise ransomware. The ransomware family encrypts files using Salsa20 and RSA-1024 and it appends several extensions to their filenames. The Paradise gang was very active until 2020, then its operations drastically dropped.
The availability of the source code online could allow other ransomware gangs to modify it and conduct their own campaigns.
(SecurityAffairs – hacking, ransomware)