Security researchers found a new malware called Ordinypt. The threat is a wiper disguised as ransomware and it targets German users only.
The bad news about the Ordinypt ransomware is that instead of encrypting users’ files, the malware destroys them.
A few days ago, the security researcher Karsten Hahn noticed a sample which has been targeting German users only.
The Ordinypt ransomware is distributed via emails written in German, and delivering notes in an error-free language, pretending to be a resume being sent in reply to job adverts.
At first, the name of the malware was HSDFSDCrypt, but after that G Data changed it to Ordinypt ransomware.
The malicious emails arrive with two files – a JPG file containing the resume and a curriculum vitae.
The files in the observed samples use two attachments called Viktoria Henschel – Bewerbungsfoto.jpg and Viktoria Henschel – Bewerbungsunterlagen.zip.
“The ZIP archive contains two EXE files that use the old double-extension and custom icon tricks to fool users into thinking they’re different files. In this case, PDF files.” security experts reported.
“On Windows PCs that hide the file extensions by default, the EXE extension does not show up, and users just want to see the PDF part, which are legitimate PDFs, and not an executables.”
Once the victim runs it the executable will launch the Ordinypt ransomware, which instead of encrypting files, wipers them by replacing files with random data.
Ordinypt generates new “pseudo-encrypted-file’s” name, which is made up of 14 random alpha-numeric characters. Sometimes the new files are more than half the size of the original ones.
The Ordinypt ransomware drops a ransom note in every folder where it has wiped the file content. The name of the note is where_sind_my_files.html. (which translates to where_are_my_files.html).
Ordinypt is a wiper disguised as ransomware which is confirmed by its strange ransom note that doesn’t list an infection ID, nor does it ask for a file from where the malware’s creators can extract an ID.
The ransom note of Ordinypt ransomware note uses a bitcoin address from a hardcoded wallet address.
“The targeting of HR departments via job application emails also means that this is an intentional campaign to damage the operations of some Germany-based companies.” the researchers said.
“Furthermore, there’s no way of contacting the faux ransomware’s authors and verifying the payment. All evidence points to the fact that someone coded Ordinypt with the intention to damage computers.”