Ordinypt is a wiper disguised as ransomware that targets German users

Pierluigi Paganini November 10, 2017

Security experts spotted a new malware dubbed Ordinypt, it is a wiper disguised as ransomware that currently only targets German users

The malware researcher Michael Gillespie first reported a new strain of malware called Ordinypt that is currently targeting German users, but unfortunately instead of encrypting users’ files, the malware intentionally destroy them.

Early this week, the security researcher Karsten Hahn has spotted a sample that, based on VirusTotal detections, has been targeting only German users. The malware was spread via emails written in German, and delivering notes in an error-free language, it pretends to be a resume being sent in reply to job adverts.

The malware was first dubbed HSDFSDCrypt, but later G Data changed the name in Ordinypt ransomware.

These emails come with two files, a JPG file containing the resume and a curriculum vitae. The files in the observed samples use two attachments named Viktoria Henschel – Bewerbungsfoto.jpg and Viktoria Henschel – Bewerbungsunterlagen.zip.

“The ZIP archive contains two EXE files that use the old double-extension and custom icon tricks to fool users into thinking they’re different files. In this case, PDF files.” reported BleepingComputer.com.

“On Windows PCs that hide the file extensions by default, the EXE extension does not show up, and users just want to see the PDF part, which are legitimate PDFs, and not an executables.”

Ordinypt ransomware

When the victim runs the executable will launch the Ordinypt ransomware, that in instead of encrypting files, wiper them by replacing files with random data.

https://twitter.com/PMackensen/status/928573535391506433

The Ordinypt ransomware generates new “pseudo-encrypted-file’s” name, which is made up of 14 random alpha-numeric characters, the new files are sometimes more than half the size of the original ones.

The malware drops a ransom note in every folder where it wiped file content, the note is named where_sind_my_files.html. (translated which translates to where_are_my_files.html).

HSDFSDCrypt ransom note

The fact that the Ordinypt is a wiper disguised as ransomware is also confirmed by its strange ransom note that doesn’t list an infection ID, nor does it ask for a file from where the ransomware’s authors can extract an ID.

The Ordinypt’s ransom note uses a bitcoin address from a hardcoded wallet address.

“The targeting of HR departments via job application emails also means that this is an intentional campaign to damage the operations of some Germany-based companies.” concluded Catalin Cimpanu from BleepingComputer.

“Furthermore, there’s no way of contacting the faux ransomware’s authors and verifying the payment. All evidence points to the fact that someone coded Ordinypt with the intention to damage computers.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Ordinypt ransomware, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment