The malware researcher Michael Gillespie first reported a new strain of malware called Ordinypt that is currently targeting German users, but unfortunately instead of encrypting users’ files, the malware intentionally destroy them.
Early this week, the security researcher Karsten Hahn has spotted a sample that, based on VirusTotal detections, has been targeting only German users. The malware was spread via emails written in German, and delivering notes in an error-free language, it pretends to be a resume being sent in reply to job adverts.
The malware was first dubbed HSDFSDCrypt, but later G Data changed the name in Ordinypt ransomware.
These emails come with two files, a JPG file containing the resume and a curriculum vitae. The files in the observed samples use two attachments named Viktoria Henschel – Bewerbungsfoto.jpg and Viktoria Henschel – Bewerbungsunterlagen.zip.
“The ZIP archive contains two EXE files that use the old double-extension and custom icon tricks to fool users into thinking they’re different files. In this case, PDF files.” reported BleepingComputer.com.
“On Windows PCs that hide the file extensions by default, the EXE extension does not show up, and users just want to see the PDF part, which are legitimate PDFs, and not an executables.”
When the victim runs the executable will launch the Ordinypt ransomware, that in instead of encrypting files, wiper them by replacing files with random data.
The malware drops a ransom note in every folder where it wiped file content, the note is named where_sind_my_files.html. (translated which translates to where_are_my_files.html).
The fact that the Ordinypt is a wiper disguised as ransomware is also confirmed by its strange ransom note that doesn’t list an infection ID, nor does it ask for a file from where the ransomware’s authors can extract an ID.
“The targeting of HR departments via job application emails also means that this is an intentional campaign to damage the operations of some Germany-based companies.” concluded Catalin Cimpanu from BleepingComputer.
“Furthermore, there’s no way of contacting the faux ransomware’s authors and verifying the payment. All evidence points to the fact that someone coded Ordinypt with the intention to damage computers.”
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – Ordinypt ransomware, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
PumaBot targets Linux IoT devices, using SSH brute-force attacks to steal credentials, spread malware, and…
Apple blocked over $9B in fraud in 5 years, including $2B in 2024, stopping scams…
Researchers found a fake Bitdefender site spreading the Venom RAT by tricking users into downloading…
Iranian man pleads guilty to role in Baltimore ransomware attack tied to Robbinhood, admitting to…
Sophos warns that a DragonForce ransomware operator chained three vulnerabilities in SimpleHelp to target a…
A new Russia-linked APT group, tracked as Laundry Bear, has been linked to a Dutch…
This website uses cookies.
![](data:image/svg+xml;charset=utf-8,<svg height="956px" width="800px" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)