Ordinypt ransomware destroys files in German companies

Giselle Wolf’s and Viktoria Henshel’s resumes spread Ordinypt malware

Ordinypt ransomware destroys files in German companies

Malware researchers warn about a dangerous cyber threat called Ordinypt[1] spreading in Germany. Nevertheless, cyber-criminals call it ransomware; it’s actually a wiper. Once it gets inside the system and corrupts targeted data, there’s no way to get it back, even if you pay the ransom.

The malicious program spreads via fake job applications that are written in error-free German language. Typically, users can quite easily identify infected emails from grammar and spelling mistakes or typos. However, this time criminals managed to create a flawless email campaign.

Ordinypt ransomware has been spotted by Michael Gillespie in November. Further investigation revealed that malware also foes under the HSDFSDCrypt name. Additionally, security researcher Karsten Hahn found out that malicious program is designed to target German users only.

Home computer users should not expect to encounter this cyber threat. However, HR agencies and departments in Germany should be careful and do not get tricked by Giselle Wolf’s or Viktoria Henshel’s applications.

Malware distribution campaign dates May

The payload of Ordinypt spreads via spam emails that spread either Giselle Wolf’s or Viktoria Henshel’s applications in JPG file or ZIP archive, which includes two EXE Files that look like PDFs. The attachments that contain malware executable are named as:

  • Viktoria Henschel – Bewerbungsfoto.jpg
  • Viktoria Henschel – Bewerbungsunterlagen.zip.

The interesting fact is that the first malicious Giselle Wolf campaign was noticed in May. However, then criminals were distributing an infamous Cerber ransomware.[2] The recent Viktoria Henshel campaign was spotted spreading Ordinypt only.[3]

Security experts believe that this campaign might be a copy and crooks do not have a real purpose of collecting ransoms. The code of the ransomware is poorly written, it does not delete Shadow Volume Copies and does not destroy Restore Point; thus, there’s a little hope about data recovery.

Ordinypt operates as a wiper

Even though it is called a ransomware virus, Ordinypt works as a wiper,[4] which might be even worse. It means that this cyber threat does not encrypts files, but overwrites them.[5] Thus, after the attack, all the date is destroyed for good.

Thus, instead of appending specific file extension as normal file-encrypting viruses do, malware renames files with a random string of characters, including numbers, uppercase, and lowercase letters. Additionally, it deletes original files and reduces the size of the corrupted data in half.

Following “data encryption,” the virus downloads a ransom note called to each folder that contains corrupted files. Translated from the German language, the name of the ransom note Wo_sind_meine_Dateien.html means “Where are my files.”

Crooks continue surprising victims and security experts with the perfect German language. However, criminals demand to pay 0.12 Bitcoins (600 Euros) for data recovery, but paying the ransom will not help. Attackers do not have a tool that can help to restore data. The files are destroyed

Ransom payment method raises assumptions about the purpose of malware

Cyber-criminals use a JavaScript function to choose one Bitcoin wallet address from the 101 hardcoded addresses. Victims are also asked to contact authors of the malware in order to get their payment verified. Malware researchers note that such complicated payment method is not used by criminals who take their illegal business seriously.

Therefore, it is assumed that the purpose of the Ordinypt virus is to cause chaos and destruction in Germany. Maybe, attackers had problems with finding a job, and this malicious program became a revenge tool. However, companies are warned to be careful with received resumes in order to avoid destructions of important business data.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at 2-Spyware.com. She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions