{"Event":{"info":"OSINT - New Paradise Ransomware variant","Tag":[{"colour":"#ffffff","exportable":true,"name":"tlp:white"},{"colour":"#2c4f00","exportable":true,"name":"malware_classification:malware-category=\"Ransomware\""},{"colour":"#366c00","exportable":true,"name":"circl:incident-classification=\"malware\""},{"colour":"#002642","exportable":true,"name":"osint:source-type=\"microblog-post\""},{"colour":"#0088cc","exportable":true,"name":"misp-galaxy:ransomware=\"Paradise Ransomware\""}],"publish_timestamp":"0","timestamp":"1540563773","Object":[{"comment":"","template_uuid":"8ec8c911-ddbe-4f5b-895b-fbff70c42a60","uuid":"5b27b1f9-8cf8-4ae9-9317-ee9f950d210f","sharing_group_id":"0","timestamp":"1529328121","description":"Microblog post like a Twitter tweet or a post on a Facebook wall.","template_version":"4","Attribute":[{"comment":"","category":"Other","uuid":"5b27b1f9-8978-422d-b610-ee9f950d210f","timestamp":"1529328121","to_ids":false,"value":"The new Paradise ransomware version stores the config in a section called \"trump\"...\r\n\ud83d\ude02\r\n@BleepinComputer @demonslay335","disable_correlation":false,"object_relation":"post","type":"text"},{"comment":"","category":"Other","uuid":"5b27b1fa-4f88-45c7-87d6-ee9f950d210f","timestamp":"1529328122","to_ids":false,"value":"Twitter","disable_correlation":true,"object_relation":"type","type":"text"},{"comment":"","category":"Network activity","uuid":"5b27b1fa-8cfc-42d7-af0d-ee9f950d210f","timestamp":"1529328122","to_ids":true,"value":"https://twitter.com/malwrhunterteam/status/993499349199056897","disable_correlation":false,"object_relation":"url","type":"url"},{"comment":"","category":"Other","uuid":"5b27b1fb-a848-4aec-809e-ee9f950d210f","timestamp":"1529328123","to_ids":false,"value":"@BleepinComputer @demonslay335","disable_correlation":false,"object_relation":"username-quoted","type":"text"},{"comment":"","category":"Other","uuid":"5b27b1fd-3718-46a5-b53e-ee9f950d210f","timestamp":"1529328125","to_ids":false,"value":"7 May 2018","disable_correlation":false,"object_relation":"creation-date","type":"datetime"},{"comment":"","category":"Other","uuid":"5b27b1fe-3f6c-4ad0-b15d-ee9f950d210f","timestamp":"1529328126","to_ids":false,"value":"@malwrhunterteam","disable_correlation":false,"object_relation":"username","type":"text"}],"distribution":"5","meta-category":"misc","name":"microblog"},{"comment":"","template_uuid":"8ec8c911-ddbe-4f5b-895b-fbff70c42a60","uuid":"5b27b397-a6e8-4a70-9151-ef38950d210f","sharing_group_id":"0","timestamp":"1529328535","description":"Microblog post like a Twitter tweet or a post on a Facebook wall.","template_version":"4","Attribute":[{"comment":"","category":"Other","uuid":"5b27b397-74fc-41f8-bb77-ef38950d210f","timestamp":"1529328535","to_ids":false,"value":"Latest sample of Paradise ransomware (RaaS?) still uses \"trump\" as section name ((link: https://twitter.com/malwrhunterteam/status/993499349199056897) twitter.com/malwrhuntertea\u2026) and mutex.\r\nUses GetUserDefaultLangID & checks for 12 values, then uses an IP API & 12 checks again. \r\nIf can't guess the values, see screens...\r\n@BleepinComputer @demonslay335","disable_correlation":false,"object_relation":"post","type":"text"},{"comment":"","category":"Other","uuid":"5b27b398-75c4-406d-aabb-ef38950d210f","timestamp":"1529328536","to_ids":false,"value":"Twitter","disable_correlation":true,"object_relation":"type","type":"text"},{"comment":"","category":"Network activity","uuid":"5b27b398-f3ac-47eb-af44-ef38950d210f","timestamp":"1529328536","to_ids":true,"value":"https://twitter.com/malwrhunterteam/status/1005420103415017472","disable_correlation":false,"object_relation":"url","type":"url"},{"comment":"","category":"Other","uuid":"5b27b398-c6b4-47bd-8247-ef38950d210f","timestamp":"1529328536","to_ids":false,"value":"@BleepinCompute
