A newly discovered ransomware-as-a-service program called Paradise may be attempting to infect computers via hacked Remote Desktop services, according to BleepingComputer creator and security expert Lawrence Abrams.
Upon execution, the ransomware relaunches itself to gain administrative privileges, and then encrypts a device's files with an RSA-1024 algorithm, appending the string "id-[affiliate_id].[affiliate_email].paradise" to affected file names, Abrams explains in a news report published on Monday.
"The ransomware will write the RSA encryption key that was used to encrypt a victim's files to the %UserProfile%\DecriptionInfo.auth file. This file will then be encrypted by a master encryption key that was bundled in the ransomware executable," Abrams writes. "This allows the developers to extract a victim's unique RSA key after they have paid a ransom."
The desktop image of infected machines displays a black background with white lettering that states, "All your files were encrypted!" along with instructions to read a corresponding .txt file. The ransom note itself contains the email address of the attackers and payment instructions. The note states that the victim's files have been encrypted due to a "security problem," and that the price to restore files back to normal "depends on how fast you write to us." Victims are able to have three files of their choice decrypted for free.
Abrams believes that Paradise may use Demote Desktop services as an infection vector based on entries found in the event log of an infected computer.