The malware researcher Michael Gillespie first reported a new strain of malware called Ordinypt that is currently targeting German users, but unfortunately instead of encrypting users’ files, the malware intentionally destroy them.
Early this week, the security researcher Karsten Hahn has spotted a sample that, based on VirusTotal detections, has been targeting only German users. The malware was spread via emails written in German, and delivering notes in an error-free language, it pretends to be a resume being sent in reply to job adverts.
The malware was first dubbed HSDFSDCrypt, but later G Data changed the name in Ordinypt ransomware.
These emails come with two files, a JPG file containing the resume and a curriculum vitae. The files in the observed samples use two attachments named Viktoria Henschel – Bewerbungsfoto.jpg and Viktoria Henschel – Bewerbungsunterlagen.zip.
“The ZIP archive contains two EXE files that use the old double-extension and custom icon tricks to fool users into thinking they’re different files. In this case, PDF files.” reported BleepingComputer.com.
“On Windows PCs that hide the file extensions by default, the EXE extension does not show up, and users just want to see the PDF part, which are legitimate PDFs, and not an executables.”
When the victim runs the executable will launch the Ordinypt ransomware, that in instead of encrypting files, wiper them by replacing files with random data.
File names and content are generated by the same function (only needs a length as input) which randomly generates a string that consists of uppercase, lowercase and numeric characters . File size can differ between 8KB and 24KB (also random). Doesn't encrypt .png files tho.
— Philipp Mackensen (@PMackensen) November 9, 2017
The malware drops a ransom note in every folder where it wiped file content, the note is named where_sind_my_files.html. (translated which translates to where_are_my_files.html).
The fact that the Ordinypt is a wiper disguised as ransomware is also confirmed by its strange ransom note that doesn’t list an infection ID, nor does it ask for a file from where the ransomware’s authors can extract an ID.
The Ordinypt’s ransom note uses a bitcoin address from a hardcoded wallet address.
“The targeting of HR departments via job application emails also means that this is an intentional campaign to damage the operations of some Germany-based companies.” concluded Catalin Cimpanu from BleepingComputer.
“Furthermore, there’s no way of contacting the faux ransomware’s authors and verifying the payment. All evidence points to the fact that someone coded Ordinypt with the intention to damage computers.”
(Security Affairs – Ordinypt ransomware, hacking)