Paradise Ransomware (.<Original Extension>[id-<Random>].[main@paradisenewgenshinimpact.top].honkai) - Videos - CheckMAL

Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

Distribution Method : Spread by exploiting a vulnerability in the AweSun remote control program.

MD5 : 5cbbc1adfd22f852a37a791a2415c92c

Major Detection Name : Ransom:MSIL/Cryptid (Microsoft), Ransom.Paradise (Symantec)

Encrypted File Pattern : .<Original Extension>[id-<Random>].[main@paradisenewgenshinimpact.top].honkai

Malicious File Creation Location :
- C:\Program Files\DP\DecryptionInfo.auth
- C:\Users\Whoami
- C:\Users\Whoami\DP_Main.exe
- C:\Users\Whoami\id.dp
- C:\Users\%UserName%\AppData\Roaming\DP
- C:\Users\%UserName%\AppData\Roaming\DP\DP_Main.exe
- C:\Users\%UserName%\AppData\Roaming\DP\RunAsAdmin.dp
- C:\Users\%UserName%\AppData\Roaming\DP\welldone.dp
- C:\Users\%UserName%\Documents\DecryptionInfo.auth

Message File : #DECRYPT MY FILES#.html

Major Characteristics :
- Offline Encryption
- Delete VSS service (sc delete VSS)
- Performs file encryption starting from designated folders (backup, firebird, microsoft sql, mssql, mysql)