Cukiesi, a Paradise ransomware variant demands over $50k for file retrieval

February 5, 2021

The SonicWall Capture Labs threat research team has observed reports of a variant of Paradise ransomware called Cukiesi.  This ransomware family has been around since early 2018 and is reported to have originated from Russia.  The ransom demand is quite steep at 1.5 BTC ($55k at the time of writing this alert) and it is speculated that it is aimed at large organisations rather than the average home PC user.

 

Infection Cycle:

 

Upon infection, files on the system are encrypted and given a “_cU_{<6 alphanumeric char>}Cukiesi” extension to their filenames:

 

nooode.txt is dropped into all directories where files were encrypted.  It contains the following ransom message:

 

We reached out to the email addresses provided in the ransom note and had the following conversation with the operator:

 

The protonmail address had been deactivated but we received a response from the tutanota.com email address:

 

The ransom amount appears to be negotiable but at the time of writing this alert we were unsuccessful:

 

We are still awaiting a reply.

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Cukiesi.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.