Ordinypt Wiper Ransomware
Updated September 2019 – Added IOC List
A new variant of the HSDFSDCrypt Ransomware, called Ordinypt, has been observed being used in recent attacks. When downloaded, it does not encrypt the user’s files but instead rewrites them with random data. A ransom note is download to each folder after its contents are replaced.
Ordinypt does not have any self-propagation methods and is, at the time of publication, only spread via malicious emails written in German. The body of the email appears to be a reply to a job advert with an attached a .zip file containing a PDF document that deliver the malware.
According to an analysis from Valthek, once opened, the malware infects a victim’s machine, making files inaccessible, and then requests 0.12 Bitcoin (around 600 EUR) for recovering them. Unbeknownst to the target, the files are actually destroyed, not encrypted, and the attackers have no code for “unlocking” them, even if victims pay up.
In both cases though, Valthek said it’s unlikely that victims will be able to recover their files in totality.
Indicators of Compromise
Filenames
- [extension]_how_to_decrypt.txt
- Eva Richter Bewerbung und Lebenslauf.pdf.exe
- Eva Richter Bewerbung und Lebenslauf.zip
- Viktoria Henschel – Bewerbungsfoto.jpg
- Viktoria Henschel – Bewerbungsunterlagen.zip
SHA256 File Hashes
- 00150f054a681b20ab7d96891da5b89eb2b53d8e40f02556b4eb3a7553c73402
- 085256b114079911b64f5826165f85a28a2a4ddc2ce0d935fa8545651ce5ab0
- 24de0b9eb94e6f80fcd9078112015a92d9c42cec889452f069447af461edd7ff
Resolution:
As with all forms of zero-day malware the first line of defence against new variants of ransomware is user awareness and safe working practices.
To avoid becoming infected with ransomware, ensure that:
- A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
- All operating systems, antivirus and other security products are kept up to date.
- All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned on the basis of least privilege.
To limit the damage of ransomware and enable recovery:
All critical data must be backed up, and these backups must be sufficiently protected/kept out of reach of ransomware.
Multiple backups should be created including at least one off-network backup (e.g. to tape).
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.