Skip to main content

Paradise Ransomware Using Internet Query Files To Deliver Payload

By March 25, 2020May 9th, 2022Cybersecurity

The Paradise ransomware is like a bad penny; it just keeps turning up.

The strain first appeared back in 2017, when it was spread far and wide via phishing emails. Then it seemed to fall out of favor for a while, and now, it’s back again. Even worse, it’s back with a new trick up its virtual sleeves. In its latest incarnation, it’s still being spread via phishing emails.

Now, its controllers are leveraging interest in IQY (Query) files, which are text files read by Microsoft Excel to grab data from the internet. Given that fact, IQY is a completely legitimate file extension, so most organizations don’t even think to block it.

The researchers at Lastline who discovered the latest campaign had this to say about it:

We’re seeing attacks using IQY files because many commodity security products and automated systems do not, or cannot, parse these file types. Attackers realize they have a very good chance of making it past rudimentary defenses.”

The approach seems to be working as Paradise’s phishing emails are being opened by unsuspecting users at an alarming rate. Of interest, the researchers found evidence in the code that this strain is still a work in progress. Consider this latest campaign to be a beta test for the redesigned code.

Lastline’s researchers had something to say about that as well:

Malware authors will often deploy malware that isn’t quite ready for prime time yet – they want to see how successful early versions of a new campaign are and how detectable their malware is against security products.”

As is the case with most ransomware, this one is designed to sniff out high value files, exfiltrate them to a command and control center, then encrypt everything and demand a ransom. As such, it has to be regarded as a genuine threat and is certainly one to keep a watchful eye out for.

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.