Security researchers detected a spam campaign leveraging Internet Query (IQY) files in an attempt to distribute Paradise ransomware.
Lastline observed that the campaign began by trying to trick users into opening an IQY file, an Excel-readable text file which downloads data from the web. As such, this file retrieved a malicious Excel formula from the attackers’ command-and-control (C&C) server. That formula used PowerShell to download Paradise ransomware as its payload.
After performing a language check, Paradise initiated a crypto routine that stood out among the processes employed by other ransomware families. As Lastline noted in its research:
The malware leverages Salsa20 to encrypt the victim’s files. The benefit of using this algorithm is that malware authors can implement it into their source code…, rather than calling functions from a crypto library. This makes detecting the encryption routine more difficult, and also makes determining the type of encryption being used a bit more challenging for malware analysts.
Upon completion of its encryption routine, Paradise dropped a ransom note to disk. This message didn’t instruct the victim to contact an email address or visit a payment portal via Tor, directions which other ransomware families’ ransom notes commonly give out. Instead, it instructed users to click on a URL that redirected them to a chat login page where they were instructed to specify their personal infection ID.
Lastline attempted to communicate with the chat feature but never received a response back. Even so, its researchers noted that the time and date format of the chat window coincided with the format used by many European countries. This information could provide some insight into the general location of the ransomware attackers and/or their targeting preferences.
The Paradise ransomware attack described above highlights the need for organizations to protect themselves against a ransomware infection. One of the ways they can do this is by taking steps to prevent an infection in the first place. This resource is a good place to start.