Malware analysis

Paradise malware: What it is, how it works and how to prevent it | Malware spotlight

Greg Belding
June 10, 2020 by
Greg Belding


Meet Paradise, a malware that has been lurking in the wild since 2017. While it may not be a vacation in a tropical locale, it certainly can be a nightmare for users afflicted by it. 

This article will detail the Paradise malware. We’ll explore what Paradise is, how it works and how you can avoid falling victim to this little-known malware.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

What is Paradise?

First reported by an affected user in the BleepingComputer forums, Paradise is a type of ransomware whose recent variants use phishing emails with malicious IQY file attachments to gain a foothold on a system. This recent variant presents us with a new step in Paradise ransomware that makes it stand out from other ransomware and will be the focus of this article. 

If a user ends up downloading this IQY file, Paradise performs different actions typical to ransomware, such as encryption of files. It also drops a ransom note informing the user that the files have been encrypted by the Paradise ransomware and how to get these files decrypted in exchange for payment in Bitcoin. It is not clear from the ransom note how many Bitcoins are required for the user to have their files decrypted, but it does provide instructions for how they can go about purchasing Bitcoins and a Paradise contact email. 

Note: We include these details only for education. We do not endorse making ransomware payments or working with the criminals behind the attack.

What makes Paradise hard to ignore after it has attached itself to a computer is that it targets important productivity files: documents, videos and images with extensions including .doc, .docx, .pdf and .xls. This ransomware is a threat for all Windows versions from Windows 7 to Windows 10.

How does Paradise work?

Paradise uses spam phishing emails to initially contact the users that it has targeted. This email will have an IQY attachment. What really sets Paradise apart from other ransomware families is that it is the first to use this file type, which has never attracted much attention from the information security world before. 

IQY is not a commonly-used file type during phishing campaigns. It is an interesting choice, as it contains only URLs and not payloads. It can be leveraged to download commands in the form of Excel formulas that can use PowerShell, cmd and other LolBins (Living off-the-land Binaries) to abuse system processes. 

The fact that IQY files use URLs makes it harder for cybersecurity teams to deal with this threat, as they may have to use a third-party URL reputation web service to effectively respond to it. Aside from being the initial attack vector, Paradise can also use the IQY to perform other attack actions in furtherance of the attack campaign.

As mentioned earlier, the initial Paradise infection comes as a result of a spam phishing email where the user has downloaded that IQY file. Once this happens, Paradise unpacks itself with self-injection to a new location in the compromised computer’s memory and replaces an executable with the unpackaged ransomware. Paradise then attempts to disable Windows Defender by changing the registry value of DisableAntiSpyware.

Paradise then searches for processes that contain specific strings and attempts to kill them. This is a typical ransomware action because it frees the handles from important files so they can be encrypted. It then uses the leveraged power of the Salsa20 crypto routine algorithm to encrypt important files — which highlights another evasion capability of Paradise. As the URLs are built into the source code and not dependent on relying upon a crypto library to call functions, this makes it harder for cybersecurity teams to detect it.

Once important files are encrypted, Paradise drops a ransom note into the folder containing the encrypted files. The ransom note is normally named ---==%$$$OPEN_ME_UP$$$==---.txt. This is another departure from the typical ransomware standard operating procedure, which normally drops a note on the compromised computer’s desktop.

How to prevent Paradise

Paradise is not well known, even by conventional cybersecurity team standards, and as such takes a little understanding to prevent it. IQY files are not filtered by security tools because they have legitimate business uses, which frustrates prevention to a degree. URL reputation services can help security teams get around this challenge, as the IQY is typically loaded with malicious URLs.

Aside from organization security teams recalibrating their approach to ransomware to better handle the Paradise threat, there are different Paradise removal tools available online, they are effective only against certain variants. While these tools can help you remove the threat, it is far better to never become infected in the first place.

The best way to prevent Paradise is to arm organization users with solid cybersecurity training that can fairly easily stop Paradise from gaining a foothold into your organization’s network and computers. The same approach to spam phishing emails covered in your training will go the distance in prevention of Paradise.


Paradise can encrypt important files and demands ransom from impacted users in Bitcoin. What distinguishes it from other malware (aside from the ironic name) is the use of IQY files to infect computers: since this file has legitimate business uses, it is not filtered out by email security tools. 

The good thing is that following standard email security guidelines from nearly all cybersecurity training programs can prevent Paradise from making your day a trip from hell.



  1. Paradise Ransomware Uses IQY Attachments to Stay Hidden, Infosecurity Magazine
  2. Variant of Paradise Ransomware Targets Office IQY Files, Threatpost
  3. How to remove Paradise Ransomware (Virus Removal Guide), MalwareTips
  4. Spam Campaign Leverages IQY Files to Distribute Paradise Ransomware, Tripwire
Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.