A new wiper malware called Ordinypt has been discovered and is targeting businesses and victims in Germany. The ransomware has the facade of fake job applicants inquiring about openings and rather than encrypting users’ documents, the ransomware overwrites files with random data.
ID-Ransomware coder, Michael Gillespie first discovered Ordinypt when one of its ransom notes was uploaded to the website of his firm.
According to Bleeping Computer, Karsten Hahn, a researcher with G Data on the 6th of this month also discovered another sample and got to know that, Ordinypt has Germany as his target. Through the use of VirusTotal detections, he found out that Ordinypt is targeting German users through emails written in German, and delivering ransom notes in an error-free German language.
Ordinypt pretends to be a resume being sent in reply to job adverts just like the Petya Ransomware was distributed.
The malware upon discovery was dubbed HSDFSDCrypt but was later changed to Ordinypt ransomware by G Data.
The malware is hidden in attachments bearing the names Viktoria Henschel.
Bewerbungsfoto.jpg and Viktoria Henschel – Bewerbungsunterlagen.zip. The emails are believed to be containing a JPG image of the woman sending a resume, and a ZIP file containing the resume and a curriculum vitae.
The ZIP archive contains two EXE files that use the old double-extension as well as custom icon tricks to deceive users, making them believe that they’re instead two different PDF files when they are actually the same.
On computers running on Windows that hide the file extensions by default, the EXE will not appear, making the PDF part only available for users to see which is almost enough to deceive them, making them think that the files are valid PDFs and not executables.
Once the executable is run, it will launch Ordinypt which will replace the contents of the files with characters randomly generated, which is made up of both uppercase and lowercase letters as well as numbers.
Philipp Mackensen, a reverse engineer also added that the malware does not encrypt PNG files.
“File names and content are generated by the same function (only needs a length as input) which randomly generates a string that consists of uppercase, lowercase and numeric characters. File size can differ between 8KB and 24KB (also random). Doesn’t encrypt .png files though,” Mackensen stated.
He went ahead to say that, the wiper does a search for files just like any other ransomware, but just “creates a “pseudo-encrypted-file” which is actually just a garbage file and then after, deletes the original file.
Mackensen further explained that they were just acting in that manner to look like a ransomware whiles trying to ignore the fact that, it is a wiper.
Hi! I am a robot. I just upvoted you! I found similar content that readers might be interested in:
https://www.bitcoinisle.com/2017/11/24/ordinypt-ransomware-targeting-germany/