Ordinypt is a wiper disguised as ransomware that targets German users

Security experts spotted a new malware dubbed Ordinypt, it is a wiper disguised as ransomware that currently only targets German users

The malware researcher Michael Gillespie first reported a new strain of malware called Ordinypt that is currently targeting German users, but unfortunately instead of encrypting users’ files, the malware intentionally destroy them.

Tweets by demonslay335

Early this week, the security researcher Karsten Hahn has spotted a sample that, based on VirusTotal detections, has been targeting only German users. The malware was spread via emails written in German, and delivering notes in an error-free language, it pretends to be a resume being sent in reply to job adverts.

The malware was first dubbed HSDFSDCrypt, but later G Data changed the name in Ordinypt ransomware.

These emails come with two files, a JPG file containing the resume and a curriculum vitae. The files in the observed samples use two attachments named Viktoria Henschel – Bewerbungsfoto.jpg and Viktoria Henschel – Bewerbungsunterlagen.zip.

“The ZIP archive contains two EXE files that use the old double-extension and custom icon tricks to fool users into thinking they’re different files. In this case, PDF files.” reported BleepingComputer.com.

“On Windows PCs that hide the file extensions by default, the EXE extension does not show up, and users just want to see the PDF part, which are legitimate PDFs, and not an executables.”

When the victim runs the executable will launch the Ordinypt ransomware, that in instead of encrypting files, wiper them by replacing files with random data.

The Ordinypt ransomware generates new “pseudo-encrypted-file’s” name, which is made up of 14 random alpha-numeric characters, the new files are sometimes more than half the size of the original ones.

The malware drops a ransom note in every folder where it wiped file content, the note is named where_sind_my_files.html. (translated which translates to where_are_my_files.html).

The fact that the Ordinypt is a wiper disguised as ransomware is also confirmed by its strange ransom note that doesn’t list an infection ID, nor does it ask for a file from where the ransomware’s authors can extract an ID.

The Ordinypt’s ransom note uses a bitcoin address from a hardcoded wallet address.

“The targeting of HR departments via job application emails also means that this is an intentional campaign to damage the operations of some Germany-based companies.” concluded Catalin Cimpanu from BleepingComputer.

“Furthermore, there’s no way of contacting the faux ransomware’s authors and verifying the payment. All evidence points to the fact that someone coded Ordinypt with the intention to damage computers.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Ordinypt ransomware, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.