Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Ordinypt is a wiper disguised as ransomware that targets German users

Security experts spotted a new malware dubbed Ordinypt, it is a wiper disguised as ransomware that currently only targets German users The malware researcher Michael Gillespie first reported a new strain of malware called Ordinypt that is currently targeting German users, but unfortunately instead of encrypting users’ files, the malware intentionally destroy them. Tweets by demonslay335 Early this […]

Ordinypt is a wiper disguised as ransomware that targets German users

Security experts spotted a new malware dubbed Ordinypt, it is a wiper disguised as ransomware that currently only targets German users

The malware researcher Michael Gillespie first reported a new strain of malware called Ordinypt that is currently targeting German users, but unfortunately instead of encrypting users’ files, the malware intentionally destroy them.

Early this week, the security researcher Karsten Hahn has spotted a sample that, based on VirusTotal detections, has been targeting only German users. The malware was spread via emails written in German, and delivering notes in an error-free language, it pretends to be a resume being sent in reply to job adverts.

The malware was first dubbed HSDFSDCrypt, but later G Data changed the name in Ordinypt ransomware.

These emails come with two files, a JPG file containing the resume and a curriculum vitae. The files in the observed samples use two attachments named Viktoria Henschel – Bewerbungsfoto.jpg and Viktoria Henschel – Bewerbungsunterlagen.zip.

“The ZIP archive contains two EXE files that use the old double-extension and custom icon tricks to fool users into thinking they’re different files. In this case, PDF files.” reported BleepingComputer.com.

“On Windows PCs that hide the file extensions by default, the EXE extension does not show up, and users just want to see the PDF part, which are legitimate PDFs, and not an executables.”

Ordinypt ransomware

When the victim runs the executable will launch the Ordinypt ransomware, that in instead of encrypting files, wiper them by replacing files with random data.

https://twitter.com/PMackensen/status/928573535391506433

The Ordinypt ransomware generates new “pseudo-encrypted-file’s” name, which is made up of 14 random alpha-numeric characters, the new files are sometimes more than half the size of the original ones.

The malware drops a ransom note in every folder where it wiped file content, the note is named where_sind_my_files.html. (translated which translates to where_are_my_files.html).

HSDFSDCrypt ransom note

The fact that the Ordinypt is a wiper disguised as ransomware is also confirmed by its strange ransom note that doesn’t list an infection ID, nor does it ask for a file from where the ransomware’s authors can extract an ID.

The Ordinypt’s ransom note uses a bitcoin address from a hardcoded wallet address.

“The targeting of HR departments via job application emails also means that this is an intentional campaign to damage the operations of some Germany-based companies.” concluded Catalin Cimpanu from BleepingComputer.

“Furthermore, there’s no way of contacting the faux ransomware’s authors and verifying the payment. All evidence points to the fact that someone coded Ordinypt with the intention to damage computers.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Ordinypt ransomware, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]