If you turned on your PC system and saw a message that your files are encrypted by Paradise then your machine is infected with a ransomware virus called Paradise. The Paradise ransomware secretly penetrates the personal computer and encrypts photos, documents and music which stored on your PC disks. While encrypting, it renames all your important personal files so that they have the extension paradise.
The Paradise ransomware uses very strong hybrid encryption with a large key. When the ransomware virus encrypts a file, it will add the .paradise extension to each encrypted file. Once the virus finished enciphering of all files, it will create a file named “#DECRYPT MY FILES#.txt” with tutorial on how to decrypt all photos, documents and music.
Table of contents
- What is Paradise ransomware virus
- How to decrypt .paradise files
- How to remove Paradise ransomware virus
- Restoring files encrypted with Paradise ransomware virus
- How to prevent your PC from becoming infected by Paradise virus?
- Finish words
The ransomnote encourages victim to contact Paradise’s creators by using the following emails (email@example.com, firstname.lastname@example.org, email@example.com) in order to decrypt all photos, documents and music. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins). We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your personal files. Especially since you have a chance to recover your photos, documents and music for free using free utilities such as ShadowExplorer and PhotoRec.
Therefore it’s very important to follow the instructions below ASAP. The step by step tutorial will allow you to get rid of Paradise ransomware infection. What is more, the step by step guidance below will help you recover encrypted photos, documents and music for free.
What is Paradise ransomware
Paradise is a variant of crypto viruses (malicious software which encrypt personal files and demand a ransom). It affects all current versions of Windows OS such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This ransomware uses very strong hybrid encryption with a large key to eliminate the possibility of brute force a key that will allow to decrypt encrypted files.
When the ransomware infects a PC system, it uses system directories to store own files. To run automatically whenever you turn on your PC, Paradise ransomware virus creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Immediately after the launch, the ransomware infection scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware virus uses the file name extension, as a way to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.m4a, .p7b, .map, .ibank, .hvpl, .wpt, .mdb, .sidn, .m2, .wire, .webdoc, .zdb, .1st, .wp4, .gdb, .t12, .kdc, .1, .iwd, .xbdoc, .2bp, .mdbackup, .arch00, .zip, .pef, .bik, .xxx, .xlsx, .7z, .accdb, .wp7, .psk, .menu, .w3x, .rw2, .yml, .odc, .wdb, .vdf, .slm, .apk, .zdc, .xwp, .wbmp, .png, .mpqge, .wp, .wma, .wpd, .wmv, .xlsm, .fos, .xlk, .pem, .kf, .epk, .tor, .pst, .bc7, .dazip, .erf, .indd, .sr2, .ltx, .bkf, .xmmap, .sis, .wpl, .ybk, .xpm, .xll, .rim, .wn, .zip, .wbm, .js, .wotreplay, .ai, .gho, .z3d, .mrwref, .itm, .xmind, .wpd, .cer, .wbc, .wbk, .orf, .docx, .sav, .hplg, .dxg, .lbf, .xlgc, .wm, .x3f, .rtf, .css, .pptx, .db0, .csv, .pak, .m3u, .vpk, .flv, .y, .pfx, .layout, .cr2, .xdl, .ztmp, .xml, .x3f, .py, .rar, .sie, .doc, .hkdb, .rgss3a, .wgz, .iwi, .dmp, .icxs, .odp, .lrf, .svg, .dba, .upk, .sql, .mlx, .sid, .xy3, .rb, .ws, .snx, .sb, .xar, .x3d, .ods, .xf, .nrw, .dng, .ff, .blob, .ysp, .re4, .wps, .3fr, .mov, .ptx, .xlsx, .r3d, .wma, .der, .x, .dbf, .xyp, .asset, .qdf, .tax, .xdb, .wmf, .wbd, .xls, .wot, .0, .ncf, .vpp_pc, .xlsb, .mdf, .psd, .dwg, .wps, .wpb, .jpe, .pkpass, .p7c, .bay, .pptm, .rofl, .rwl, .ppt, .wsh, .yal, .wp6, .raw, .syncdb, .zabw, .hkx, .xld, .z, .fsh, .das, .pdf, .big, .lvl, .docm, .itdb, .eps, .mp4, .wsc, .vfs0, .ntl, .mddata, .wmv, .wdp, .fpk, .odb, .3ds, .bar, .arw, .3dm, .pdd, .qic, .cfr, .wp5, .avi
Once a file is encrypted, its extension modified to “.paradise”. Next, the virus creates a file called “#DECRYPT MY FILES#.txt”. This file contain tutorial on how to decrypt all encrypted documents, photos and music. An example of the guidance is:
Your important files produced on this computer have been encrypted due a security problem[FREE DECRYPTION AS GUARANTEE]
If you want to restore them, write us to the e-mail: firstname.lastname@example.org
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
Before paying you can send to us up to 3 files for free decryption.[ATTENTION]
Please note that files must NOT contain valuable information
and their total size must be less than 1Mb
[HOW TO OBTAIN BITCOINS] The easiest way to buy bitcoin is LocalBitcoins site.
You have to register, click Buy bitcoins and select the seller by payment method and price
Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss
If you not write on e-mail in 36 hours – your key has been deleted and you cant decrypt your files
The Paradise ransomware actively uses scare tactics by giving the victim a brief description of the encryption algorithm and showing a ransom demanding message on the desktop. It is trying to force the user of the infected PC, do not hesitate to pay a ransom, in an attempt to recover their photos, documents and music.
How to decrypt .paradise files
Currently there is no available solution to decrypt .paradise files, but you have a chance to restore encrypted photos, documents and music for free. The Paradise ransomware virus repeatedly tells the victim that uses a strong encryption algorithm. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a way because of the big length of the key. Therefore, unfortunately, the only payment to the authors of the Paradise ransomware entire amount requested – the only way to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the authors of the Paradise ransomware, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
How to remove Paradise ransomware virus
Even if you have the up-to-date classic antivirus installed, and you’ve checked your PC system for ransomwares and removed anything found, you need to do the guidance below. The Paradise virus removal is not simple as installing another antivirus. Classic antivirus software are not designed to run together and will conflict with each other, or possibly crash Microsoft Windows. Instead we suggest complete the steps below an run Zemana Anti-malware, Malwarebytes or Kaspersky Virus Removal Tool, which are free applications dedicated to detect and remove malicious software like Paradise ransomware virus. Use these tools to ensure the ransomware infection is removed.
Remove Paradise ransomware with Zemana Anti-malware
We advise using the Zemana Anti-malware. You can download and install Zemana Anti-malware to scan for and delete Paradise from your PC. When installed and updated, the malicious software remover will automatically scan and detect all threats exist on the computer.
Download Zemana anti malware from the following link and save it to your Desktop.
Author: Zemana Ltd
Category: Security tools
Update: April 20, 2017
When the downloading process is finished, close all windows on your computer. Further, run the file named Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up like below, click the “Yes” button.
It will open the “Setup wizard” that will help you install Zemana anti-malware on the PC. Follow the prompts and do not make any changes to default settings.
Once install is finished successfully, Zemana anti malware will automatically start and you can see its main window like below.
Next, press the “Scan” button . This will begin scanning the whole system to find out Paradise ransomware and other trojans and malicious software. This process can take some time, so please be patient. When a malicious software, ad-supported software or PUPs are found, the number of the security threats will change accordingly. Wait until the the scanning is finished.
When it has completed scanning your personal computer, it’ll show a screen that contains a list of malicious software that has been found. In order to remove all threats, simply click “Next” button.
The Zemana anti-malware will begin removing Paradise ransomware virus and other security threats. Once disinfection is complete, you may be prompted to restart your PC system.
How to delete Paradise virus with Malwarebytes
You can delete Paradise virus automatically with a help of Malwarebytes Free. We recommend this free malware removal utility because it can easily remove ransomwares, ad-supported software, PUPs and toolbars with all their components such as files, folders and registry entries.
Download Malwarebytes by clicking on the link below and save it directly to your MS Windows Desktop.
Category: Security tools
Update: November 9, 2017
Once the download is finished, close all applications and windows on your system. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup as displayed on the screen below.
When the setup starts, you will see the “Setup wizard” that will help you install Malwarebytes on your system.
Once installation is done, you will see window like below.
Now press the “Scan Now” button to perform a system scan for the Paradise ransomware virus and other trojans and malicious programs. A system scan can take anywhere from 5 to 30 minutes, depending on your personal computer. While the tool is checking, you can see how many objects and files has already scanned.
When it completes the scan, it’ll display you the results. Make sure all malicious entries are ‘selected’ and press “Quarantine Selected” button.
The Malwarebytes will start removing Paradise ransomware virus related files, folders, registry keys. Once disinfection is done, you may be prompted to reboot your PC system.
The following video explains few simple steps on how to delete ransomware infection and other malware with Malwarebytes Anti-malware.
Remove Paradise ransomware with KVRT
The KVRT utility is free and easy to use. It can scan and delete ransomware like Paradise virus, malware, potentially unwanted software and ad supported software in Chrome, Microsoft Internet Explorer, FF and Microsoft Edge web browsers and thereby revert back their default settings (new tab, start page and search provider by default). KVRT is powerful enough to find and delete malicious registry entries and files that are hidden on the computer.
Download Kaspersky virus removal tool (KVRT) from the link below. Save it on your MS Windows desktop.
Author: Kaspersky® lab
Category: Security tools
Update: November 3, 2015
After the downloading process is finished, double-click on the KVRT icon. Once initialization procedure is done, you’ll see the KVRT screen as displayed in the following example.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button to begin checking your computer for the Paradise ransomware . Depending on your computer, the scan may take anywhere from a few minutes to close to an hour. When a malware, ad-supported software or potentially unwanted programs are found, the number of the security threats will change accordingly.
After it completes the scan, it’ll open a scan report as displayed on the screen below.
Next, you need to press on Continue to start a cleaning task.
Restoring files encrypted by Paradise ransomware virus
In some cases, you can recover files encrypted by Paradise ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted files.
Run ShadowExplorer to recover .paradise files
If automated backup (System Restore) is enabled, then you can use it to recover all encrypted files to previous versions.
Download ShadowExplorer from the link below. Save it on your Desktop. This tool is available for Windows Vista, Windows 7, Windows 8 and Windows 10.
Category: Security tools
Update: February 12, 2016
After the download is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and choose Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as on the image below.
Launch ShadowExplorerPortable. You will see the a window as on the image below.
From the first drop down list you can select a drive which contains encrypted files, from the second drop down list you can choose the date that you wish to recover from. 1 – drive, 2 – restore point, as displayed on the screen below.
Righ-click entire folder or any one encrypted file and choose Export, like below.
It will show a dialog box which asking whether you’d like to recover a file or the contents of the folder to.
Use PhotoRec to restore .paradise files
Before a file is encrypted, the Paradise ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your personal files using file restore software such as PhotoRec.
Download PhotoRec on your Microsoft Windows Desktop by clicking on the following link.
Category: Security tools
Update: March 23, 2016
Once the downloading process is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will show a screen as on the image below.
Choose a drive to recover as shown in the figure below.
You will see a list of available partitions. Choose a partition that holds encrypted photos, documents and music as displayed below.
Click File Formats button and choose file types to recover. You can to enable or disable the recovery of certain file types. When this is done, click OK button.
Next, click Browse button to select where restored documents, photos and music should be written, then click Search.
Count of recovered files is updated in real time. All recovered documents, photos and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is done, click on Quit button. Next, open the directory where recovered documents, photos and music are stored. You will see a contents as displayed in the figure below.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to prevent your system from becoming infected by Paradise ransomware virus?
Most antivirus software already have built-in protection system against the ransomware infection. Therefore, if your machine does not have an antivirus program, make sure you install it. As an extra protection, use the CryptoPrevent.
Use CryptoPrevent to protect your machine from Paradise virus
Download CryptoPrevent on your MS Windows Desktop by clicking on the following link.
Run it and follow the setup wizard. Once the install is done, you’ll be shown a window where you can choose a level of protection, as shown in the figure below.
Now click the Apply button to activate the protection.
Once you’ve complete the tutorial shown above, your machine should be clean from Paradise ransomware and other malware. Your PC will no longer encrypt your photos, documents and music. Unfortunately, if the step-by-step instructions does not help you, then you have caught a new variant of virus, and then the best way – ask for help.
- Download HijackThis from the link below and save it to your Desktop.
Category: Security tools
Update: November 7, 2015
- Double-click on the HijackThis icon. Next click “Do a system scan only” button.
- Once the checking is complete, the scan button will read “Save log”, click it. Save this log to your desktop.
- Create a Myantispyware account here. Once you’ve registered, check your e-mail for a confirmation link, and confirm your account. After that, login.
- Copy and paste the contents of the HijackThis log into your post. If you are posting for the first time, please start a new thread by using the “New Topic” button in the Spyware Removal forum. When posting your HJT log, try to give us some details about your problems, so we can try to help you more accurately.
- Wait for one of our trained “Security Team” or Site Administrator to provide you with knowledgeable assistance tailored to your problem with the Paradise ransomware virus.