Image

The malware leverages Salsa20 to encrypt the victim’s files. The benefit of using this algorithm is that malware authors can implement it into their source code..., rather than calling functions from a crypto library. This makes detecting the encryption routine more difficult, and also makes determining the type of encryption being used a bit more challenging for malware analysts.Upon completion of its encryption routine, Paradise dropped a ransom note to disk. This message didn't instruct the victim to contact an email address or visit a payment portal via Tor, directions which other ransomware families' ransom notes commonly give out. Instead, it instructed users to click on a URL that redirected them to a chat login page where they were instructed to specify their personal infection ID. Lastline attempted to communicate with the chat feature but never received a response back. Even so, its researchers noted that the time and date format of the chat window coincided with the format used by many European countries. This information could provide some insight into the general location of the ransomware attackers and/or their targeting preferences.
Image
