Cukiesi, a Paradise ransomware variant demands over $50k for file retrieval


The SonicWall Capture Labs threat research team has observed reports of a variant of Paradise ransomware called Cukiesi.  This ransomware family has been around since early 2018 and is reported to have originated from Russia.  The ransom demand is quite steep at 1.5 BTC ($55k at the time of writing this alert) and it is speculated that it is aimed at large organisations rather than the average home PC user.


Infection Cycle:


Upon infection, files on the system are encrypted and given a “_cU_{<6 alphanumeric char>}Cukiesi” extension to their filenames:


nooode.txt is dropped into all directories where files were encrypted.  It contains the following ransom message:


We reached out to the email addresses provided in the ransom note and had the following conversation with the operator:


The protonmail address had been deactivated but we received a response from the email address:


The ransom amount appears to be negotiable but at the time of writing this alert we were unsuccessful:


We are still awaiting a reply.


SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Cukiesi.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.