Destructive Ordinypt Malware Hitting Germany in New Spam Campaign

A new spam campaign is underway that pretends to be a job application from "Eva Richter" who is sending her photo and resume. This resume, though, is actually an executable masquerading as a PDF file that destroys a victim's files by installing the Ordinypt Wiper.

Ordinypt is a destructive malware commonly targeted at German people that pretends to be ransomware that encrypts your files and then demands victim's pay a ransom to get their files back. Unfortunately, even if a user pays the ransom, the files have been overwritten with garbage and cannot be decrypted.

From the samples and ransom notes seen by BleepingComputer, this campaign appears to have started around September 11th, 2019.

Fake 'Eva Richter' job application

This campaign is currently targeting German speaking victims and pretending to be a job application from a person named "Eva Richter". These emails will have a subject line of  "Bewerbung via Arbeitsagentur - Eva Richter".

The spam emails contain a stock photo image of a woman, who is supposed to be our job applicant, and a zip file named "Eva Richter Bewerbung und Lebenslauf.zip" that pretends to be her resume.

The text of this spam email in German is:

Sehr geehrte Damen und Herren, 

hiermit bewerbe mich auf die von Ihnen bei der Arbeitsagentur angebotene Stelle.

Das von Ihnen beschriebene Tätigkeitsfeld entspricht in besonderem Maße meinen beruflichen Perspektiven. Meine Bewerbungsunterlagen finden Sie im Anhang.

Über eine Einladung zu einem persönlichen Vorstellungsgespräch würde ich mich sehr freuen.

Mit freundlichen Grüßen,

Eva Richter

This translates to English as the following:

Dear Sirs and Madames,

I hereby apply for the position offered by you at the Employment Agency.

The field of activity you describe corresponds especially to my career prospects. My application documents are attached.

I would be very happy about an invitation to a personal job interview.

Yours sincerely,

Eva Richter

Inside the zip file attachment is a file called "Eva Richter Bewerbung und Lebenslauf.pdf.exe" that pretends to be a PDF resume as seen below.

When opened, the malware will flash the screen in various colors and then begin to encrypt the victim's computer.

Destroying the data

Once Ordinypt ​​​​​​ is started, it will begin to destroy the files on a victim's computer.  This process is almost identical to how a ransomware works, such as skipping files, terminating processes, not wiping certain certain extensions, and even appending an extension to the 'encrypted' files as shown below.

It also deletes shadow volume copies and disables the Windows 10 recovery environment after the wiping has finished.

/k vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

When done, a ransom note named in the format [extension]_how_to_decrypt.txt will be found in each folder and contains instructions to go to a Tor site and make a payment to get a decryptor.

In the 10 different victims seen by BleepingComputer, all of them had the same ransom amount of 0.1473766 BTC or approximately $1,518.92 USD.

As previously stated, while disguised as a ransomware, this infection is actually a destructive wiper. Therefore, do not make any ransom payments as you will not be able to decrypt your files with anything they provide.

There are known cases where the shadow volume copies are not deleted, so if you are affected by this wiper, you can try to restore your files from Shadow Volume Copies.

IOCs:

File hashes:

24de0b9eb94e6f80fcd9078112015a92d9c42cec889452f069447af461edd7ff

Associated file names:

[extension]_how_to_decrypt.txt
Eva Richter Bewerbung und Lebenslauf.pdf.exe

Ransom note text:

============================ WELCOME ============================
============== DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAS BEEN RECOVERED! ==============

All of your files have been encrypted and now have the file extension: .MyyqA
The only way to recover your files is to purchase our decrypter software, which will only work for your PC.

For further instructions how to decrypt your files, please download the TOR Browser

========================================================


1. Download Tor Browser from: https://www.torproject.org
2. Install and open TOR Browser
3. Navigate to the following url: http://2u6gynsdszbd7ey3.onion/
4. Enter your access code

Your access code:

xxx

Copy & Paste it into the access code field


========================================================

Warning:

DO NOT MODIFY ANY OF THE ENCRYPTED FILES OR TRY OTHERWISE TO DECRYPT THEM YOURSELF
YOU RISK DAMAGING THE FILES AND YOU WILL LOOSE YOUR FILES FOREVER!

Skipped folders:

windows
recycle.bin
mozilla
google
boot
application data
appdata
program files
program files (x86)
programme
programme (x86)
programdata
perflogs
intel
msocache
system volume information

Terminated Programs:

notepad.exe
dbeng50.exe
sqbcoreservice.exe
encsvc.exe
mydesktopservice.exe
isqlplussvc.exe
agntsvc.exe
sql.exe
sqld.exe
mysql.exe
mysqld.exe
oracle.exe

Skipped file list:

.adv, .ADV, .ani, .ANI, .bat, .BAT, .bin, .BIN, .cab, .CAB, .cmd, .CMD, .com, .COM, .cpl, .CPL, .cur, .CUR, .deskthemepack, .DESKTHEMEPACK, .diagcab, .DIAGCAB, .diagcfg, .DIAGCFG, .diagpkg, .DIAGPKG, .dll, .DLL, .drv, .DRV, .exe, .EXE, .hlp, .HLP, .icl, .ICL, .icns, .ICNS, .ico, .ICO, .ics, .ICS, .idx, .IDX, .ldf, .lnk, .LNK, .mod, .MOD, .mpa, .MPA, .msc, .MSC, .msp, .MSP, .msstyles, .MSSTYLES, .msu, .MSU, .nls, .NLS, .nomedia, .NOMEDIA, .ocx, .OCX, .prf, .PRF, .psl, .PSL, .rom, .ROM, .rtp, .RTP, .scr, .SCR, .shs, .SHS, .spl, .SPL, .sys, .SYS, .theme, .THEME, .themepack, .THEMEPACK, .wpx, .WPX, .lock, .LOCK, .hta, .HTA, .msi, .MSI, autorun.inf, boot.ini, bootfont.bin, bootsect.bak, desktop.ini, iconcache.db, ntldr, ntuser.dat, ntuser.dat.log, ntuser.ini, bootmgr, bootnxt, thumbs.db

Comments are closed.