Paradise ransomware has re-emerged, with criminals hiding behind it trying out new tactics that could lead to a more productive ransomware campaign. Specifically, this ransomware campaign is back in a new format, aimed at deceiving unsuspecting users and breaching their network with malicious software that encrypts files. It is actually a form of attack that many machines Windows they may not recognize them as potentially malicious.
The new version of Paradise ransomware, which has been active in many variants since 2017, is spreading via messages electronics phishing and differs from other ransomware campaigns in that it uses an unusual but effective file type to penetrate networks. Additionally, this campaign uses IQY files - Internet Query - which are text files that are read by Microsoft Excel to download data from Internet. IQY is a legal type of file, so many organizations may not reject it.
Researchers involved in cyber security Lastline have unveiled a campaign that benefits from it to spread Paradise ransomware to any target organization.
Attacks with IQY files occur because many automated systems do not process or cannot analyze these file types. According to LastDown security chief Richard Henderson, at ZDNet, hackers realize that there are no strong defenses that could hinder them from any malicious activity. The original emails Phishing are designed to look commercially and encourage users to open an IQY attachment. If the potential victim does this, the IQY file is linked to it server command and control run by hackers, who in turn will drop a PowerShell command used to run ransomware on a machine or device. Once the files are encrypted, the victim is required to pay the ransom in the form cryptocurrency, so that it can regain access to network.
In an effort to further understand the attack, the researchers tried to contact them cybercriminals to negotiate access to a decryptor. But they have never received a response, which proves that the current campaign may just be preparing the ground for a new form of Paradise. Hackers often develop malicious programs that are not complete first, wanting to see how successful the first versions of a new campaign are and how detectable the malware is by security systems, Henderson said. At the same time, he stressed that when hackers do not respond, it means they are still processing errors and trying to find better ways to make money.
Researchers in her field cyber security have released a free decryption tool for an earlier version of Paradise, but it seems that those behind the attacks are constantly finding ways to evolve the tactics that follow. It is not yet known what kind of cybercrime is behind Paradise ransomware, but researchers note that ransomware will not be installed on a machine if it detects a Russian, Kazakh, Belarusian, Ukrainian or Tatar language ID.
Ransomware continues to hit organizations worldwide, with cybercriminals seeking hundreds of thousands of dollars in ransom in exchange for Bitcoin on a regular basis.
However, one way organizations can avoid meeting the demands of cybercriminals, even if they fall victim to ransomware, is to regularly update backups of their offline systems, so even if the worst happens, there is room for recovery. Organizations can also be significantly protected from ransomware and other attacks malware regularly implementing appropriate security updates, thus avoiding exploitation vulnerabilities software by hackers that are targeted to breach networks.