Ordinypt 'Ransomware' Destroys Data Instead of Encrypting It

Written by

A new malware called Ordinypt that targets German users is making the rounds—billing itself as ransomware. However, the code is really a wiper, with apparent twin motives of financial gain as well as disrupting business operations.

G Data security researcher Karsten Hahn found that the malware, which also goes by the name HSDFSDCrypt, is targeting German users for the moment, using emails and ransom notes that are written in flawless Deutsch. It’s being spread via responses to job ads—the emails purport to have a ZIP file with a resume and CV attached.

According to an analysis from Valthek, once opened, the malware infects a victim’s machine, making files inaccessible, and then requests 0.12 Bitcoin (around 600 EUR) for recovering them. Unbeknownst to the target, the files are actually destroyed, not encrypted, and the attackers have no code for “unlocking” them, even if victims pay up.

Interestingly, Valthek found that the malware deletes files, overwriting them with garbage strings of random letters and numbers. However, the affected files will remain in the raw hard disk untouched—leaving open the possibility (“with luck”, he said) to recovering them using a program such as Recuva. It also doesn’t destroy Shadow Volume or Restore Point files in the system, he said, so the use of a tool like Shadow Explorer could be useful in getting data back.

In both cases though, Valthek said it’s unlikely that victims will be able to recover their files in totality.

What’s also notable about the code is that while it’s effective, it’s poorly written. Valthek’s overall assessment of it is straightforward: “A stupid malware that destroy information of enterprises and innocent people and try steal money saying that is a ransomware. Bad coding style, a easy packer, only need one hour of my time to reverse it and writing this report.”

What’s hot on Infosecurity Magazine?