Ordinypt Ransomware Targeting Germany

A new wiper malware called Ordinypt has been discovered and is targeting businesses and victims in Germany. The ransomware has the facade of fake job applicants inquiring about openings and rather than encrypting users’ documents, the ransomware overwrites files with random data.

ID-Ransomware coder, Michael Gillespie first discovered Ordinypt when one of its ransom notes was uploaded to the website of his firm.

According to Bleeping Computer, Karsten Hahn, a researcher with G Data on the 6th of this month also discovered another sample and got to know that, Ordinypt has Germany as his target. Through the use of VirusTotal detections, he found out that Ordinypt is targeting German users through emails written in German, and delivering ransom notes in an error-free German language.

Ordinypt pretends to be a resume being sent in reply to job adverts just like the Petya Ransomware was distributed.

The malware upon discovery was dubbed HSDFSDCrypt but was later changed to Ordinypt ransomware by G Data.

The malware is hidden in attachments bearing the names Viktoria Henschel.

Bewerbungsfoto.jpg and Viktoria Henschel – Bewerbungsunterlagen.zip. The emails are believed to be containing a JPG image of the woman sending a resume, and a ZIP file containing the resume and a curriculum vitae.

The ZIP archive contains two EXE files that use the old double-extension as well as custom icon tricks to deceive users, making them believe that they’re instead two different PDF files when they are actually the same.

On computers running on Windows that hide the file extensions by default, the EXE will not appear, making the PDF part only available for users to see which is almost enough to deceive them, making them think that the files are valid PDFs and not executables.

Once the executable is run, it will launch Ordinypt which will replace the contents of the files with characters randomly generated, which is made up of both uppercase and lowercase letters as well as numbers.

Philipp Mackensen, a reverse engineer also added that the malware does not encrypt PNG files.

“File names and content are generated by the same function (only needs a length as input) which randomly generates a string that consists of uppercase, lowercase and numeric characters. File size can differ between 8KB and 24KB (also random). Doesn’t encrypt .png files though,” Mackensen stated.

He went ahead to say that, the wiper does a search for files just like any other ransomware, but just “creates a “pseudo-encrypted-file” which is actually just a garbage file and then after, deletes the original file.

Mackensen further explained that they were just acting in that manner to look like a ransomware whiles trying to ignore the fact that, it is a wiper.

One algorithm is used in both generating the random data and also generating the new “pseudo-encrypted-file’s” name, which is made up of 14 random alpha-numeric characters.

The payment method of Ordinypt uses a JavaScript function, used in choosing random Bitcoin addresses from a list of 101 hardcoded wallet addresses. In addition, there are no means to contact the malware’s authors for payment verification.

Andy Norton, Lastline Director of Threat Intelligence told reporters that, this method of infection was noted by researchers for the past 6 months with previous versions of the campaign going back to May with some earlier versions using Cerber as the ransomware payload.

“This latest attack using the name Viktoria Henshel does not use Cerber, and has a very poor implementation of a payment method, suggesting that the threat actor does not want to get paid a ransom but merely wishes to destroy data of the targeted organizations,” Norton stated.

“We may speculate that this change in motivation may indicate a copycat threat; Someone who is copying the tools, tactics, and procedures of one established threat group, but has a very different motive,” he added.

Also speaking after the discovery of this ransomware was Bleeping Computer’s Catalin Cimpanu. He stated that “the targeting of HR departments via job application emails also means that this is an intentional campaign to damage the operations of some Germany-based companies.”

He went ahead to say that: “Furthermore, there’s no way of contacting the faux ransomware authors and verifying the payment. All evidence points to the fact that someone coded Ordinypt with the intention to damage computers.”