Ordinypt malware is currently being used in targeted attacks on companies in Germany. While Ordinypt malware appears to victims to be ransomware, the malware is actually a wiper.
Infection sees files made inaccessible, and as with ransomware, a ransom demand is issued. The attackers ask for 0.12 Bitcoin – around $836 – to restore files.
Ordinypt malware does not encrypt files – it simply deletes the original file name and replaces it with a random string of letters and numbers. The contents of files are also replaced with random letters and numbers.
Even if the ransom demand is paid, the attackers do not have a mechanism to allow victims to recover their original files. The only sure-fire way to recover files is to restore them from a backup. In contrast to many ransomware variants that make it difficult to recover files by deleting Windows Shadow Volume copies, those are left intact, so it may be possible for users to recover some of their files.
Ordinypt malware – or HSDFSDCrypt as it was originally known – was discovered by Michael Gillespie. A sample of the malware was obtained and analyzed by German security researcher Karsten Hahn from G Data Security. G Data Security renamed the malware Ordinypt.
Hahn notes that Ordinypt malware is poorly written with a bad coding style, indicating this is not the work of a skilled hacker. Hahn said, this is “A stupid malware that destroy information of enterprises and innocent people and try steal money.”
The attackers are using a common technique to maximize the number of infections. The malware is disguised as PDF files which are distributed via spam email. The messages claim to be applications in reply to job adverts. Two files are included in a zip file attachment, which appear to be a resume and a CV.
While the files appear to be PDFs, and are displayed as such, they actually have a double extension. If the user’s computer has file extensions hidden, all that will be displayed is filename.pdf, when in actual fact the file is filename.pdf.exe. Clicking on either of the files will run the executable and launch Ordinypt malware.
In recent months there have been several wiper malware variants detected that pretend to be ransomware. The attackers are taking advantage of the publicity surrounding ransomware attacks, and are fooling end users into paying a ransom, when there is no way of recovering files. It is not clear whether the reason for the attacks is to make money. It is possible that these attacks are simply intended to cause disruption to businesses, as was the case with the NotPetya wiper attacks.
Regardless of how poorly written this malware is, it is still effective and can cause significant disruption to businesses. Protecting against this, and other email-based malware threats, requires a combination of end user training and technology.
End users should be informed of the risks of opening attachments from unknown senders and should assume that all such emails could be malicious. In this case, the malware is poorly written but the emails are not. They use perfect German and are highly believable. HR employees could be easily fooled by a ruse such as this.
The best protection against threats such as these is an advanced spam filter such as SpamTitan. Preventing these emails from reaching inboxes is the best defense.
By configuring the spam filter to block executable files, the messages will be rerouted to a quarantine folder rather than being delivered, mitigating the threat.
For further information on how a spam filter can help to block email-based threats and to register for a free trial of SpamTitan for your business, contact the TitanHQ team today.