Worm Paradise Ransomware - How to remove

The Paradise ransomware infection which has first been noticed around 2017 emerged recently with a few new versions. It attacks computers using RDP and might try to steal banking credentials on top of corrupting all user files. Worm is a file-encrypting virus, a version of Paradise that marks encrypted files with the “.worm” extension. None of the versions have free decryption options yet.

[id-[random]].[[email protected]].worm – that’s the suffix added to the names of the locked files, after the old file type extension. The random part is unique for each victim.

The Worm virus introduces itself in an html file called $%~-#_ABOUT_YOUR_FILES_#$=$$.html which is put in multiple folders. This file is similar to all the Dharma, Phobos, and DCRTR-WDM notes but with its own unique color scheme. We’ve already written about Junior and 2k19cry, which are also versions of Paradise and also use a similar type of ransom note. Other Paradise ransomware uses text files to deliver the message.

In its note, Worm presents the email address [email protected] for victims to contact and to learn how to send the criminals money. The money is usually paid in Bitcoin – a currency that might have enabled the current rise and reign of ransomware as one of the biggest threats to businesses and institutions. Worm also offers to decrypt three files for free. Keep in mind that even if the criminals show that they can decrypt the files, they ave no obligation to help you even if you pay, so be careful.

Worm from Paradise ransomware is a dangerous file-locking virus:

Worm symptoms	Files have a new suffix to their names that ends with “.worm” Those files can’t be opened even if the suffix is removed The antivirus program that was installed might not function A ransom note placed in multiple folders presents the attackers as Paradise Every time the computer is turned on, new files are encrypted
Distribution	RDP Malicious emails
Get rid of Worm	Delete the ransomware Remove malware using antivirus tools like SpyHunter Change important passwords
Restore the files	Restore the lost files from a backup Save the locked files for a future decryption solution Recover lost files using system restore or data recovery

How Worm spreads

It’s suspected that Paradise uses the RaaS (ransomware-as-a-service) model for spreading. This means that distributors are separate from the developers and use their own imagination to push this virus to victims. This isn’t the only ransomware to use this type of distribution – the infamous GandCrab also involved independent distributors (at least, until the developers were arrested)

One of the most common ways that Paradise viruses infected victims so far has been Remote Desktop attacks. If there’s no VPN used, if all connection attempts are allowed, criminals will try to connect, sooner or later. After the password of the administrator account is brute-forced, Worm can get inside, break the antivirus program, and get into other storage on the same network, even try to break password protection. Some data, like saved banking credentials and payment information, might be stolen during this process.

There is also a chance that Worm spreads using malicious download links and downloaders in infected files. These can be distributed in email spam or even in social media. Whether your email address was leaked or discovered by criminals, an intriguing email letter about a mysterious invoice or bill might be carrying an infection. Targeted malicious emails might also be used – criminals might craft emails to fit their target, a technique known as spear phishing.

What is unlikely is that Worm uses pirating to spread. This way is effective at infecting many individual PC users, but it’s not used for bigger targets, like businesses and organizations.

Deleting Worm and restoring the files

Back when Paradise first showed up, it was remarkable for how slow it was because it used asymmetric encryption – a safe but very slow process. While most modern ransomware is too fast to catch it in action, taking a few minutes to ruin hundreds of Gigabytes, it might be possible to catch Worm locking your files and either stop the malicious process and remove it from AppData/Roaming or another folder where it was saved, or to turn off all the infected computers so that more files can’t be touched.

Worm encrypts user files but leaves alone Windows and browser data. It also deletes shadow copies so that previous versions of the encrypted files can’t be restored.

To remove the Worm ransomware, any competent antivirus tool (like SpyHunter) can be used, as long as it has the newest updates installed. Most reputable security programs detect this ransomware.

As for restoring the files, there’s no free option at the moment. It’s best to just restore from backups. But there’s always a chance that the files can be decrypted at some point in the future, so you might want to keep those locked files and, occasionally, check nomoreransom.org (a site for archiving decryption tools) for a paradise decryptor.

Automatic Malware removal tools

How to recover Worm Paradise Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Worm Paradise Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Worm Paradise Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Worm Paradise Ransomware. You can check other tools here.  

Step 3. Restore Worm Paradise Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Worm Paradise Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Worm Paradise Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.