article featured image


The ransomware unpacks itself and encrypts files on the affected computer, once the user opens the file by adding extensions like “.paradise”, “.2ksys19”, “.p3rf0rm4”, and “.FC”.

The Paradise ransomware also works by deleting the backups in an attempt to obtain maximum impact and therefore more easily pressuring the victim into paying the ransom.

Paradise-Ransomware message


Recently the complete source code for the Paradise Ransomware has been released on a hacking forum, in this way allowing any cybercriminal to be able to develop their own customized ransomware operation.

Paradise-Ransomware source code leak


What happened?

The source code was released on the hacking forum XSS with the source code link only accessible to active users on the platform. These users must have previously replied or reacted to other similar posts on the website.

Previously this year, the XSS hacking forum removed all ransomware topics from its website most likely in order to prevent any unwanted attention in the current international context where RaaS type activities have grown in numbers and are now far more common and easy to encounter.

Security researcher Tom Malka shared the source code with the news publication BleepingComputer. He compiled the package and found that it creates three executables, a ransomware configuration builder, the encryptor, and a decryptor.

Paradise Ransomware source code


It’s interesting to note that throughout the source code can be found Russian comments, this clearly demonstrating that Russian is probably the native language of the developer.

The Paradise ransomware affiliates are now able to make use of the builder in order to customize their own version of the ransomware and include a custom command and control server, encrypted file extension, and contact email address to distribute the malware in their campaigns to target victims.

The Paradise Ransomware operation was first seen in September 2017. At that time, it was using phishing emails that were containing malicious IQY attachments that downloaded and installed the ransomware, but in time more versions of the ransomware were released, with the initial versions containing flaws that led to the release of a Paradise Ransomware decryptor.

The new versions switched the encryption method to RSA, in this way preventing the free decryption of files.

Michael Gillespie the researcher that created the original Paradise Ransomware decryptor disclosed that the versions of Paradise that were released include:

  • Paradise – Native version that had the flaws allowing decryption.
  • Paradise .NET – A secure .NET version that switched encryption algorithms to use RSA encryption.
  • Paradise B29 – A “Team” variant that only encrypted the end of a file.

The researcher said that it is not clear at this time if the versions were all developed by the same group as they were all circulating at around the same time with thousands of different extensions.

Heimdal Official Logo
Neutralize ransomware before it can hit.

Heimdal™ Ransomware Encryption Protection

Specifically engineered to counter the number one security risk to any business – ransomware.
  • Blocks any unauthorized encryption attempts;
  • Detects ransomware regardless of signature;
  • Universal compatibility with any cybersecurity solution;
  • Full audit trail with stunning graphics;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Unfortunately, the leaked source code is one of the secure version of Paradise Ransomware that makes use of the RSA encryption, therefore by using this source code, the threat actors can easily modify it to release their own customized version of the ransomware, leaving room for an easy entry point into the birth of new ransomware operations.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.