In the past decade, cybercriminals have used cyber threats to generate profit for themselves almost exclusively – they use malware that can extort the victim for money, collect their financial details, gather cryptocurrency wallets, or even harvest the computer’s power to mine for various cryptocurrencies. However, it appears that there are still groups of hackers who opt to rely on malware that is purely destructive – this is the exact case with Ordinypt Wiper, a piece of malware capable of damaging a large number of files in a matter of minutes. Attacks with the Ordinypt Wiper are targeted to German users and companies exclusively, and its authors still attempt to make some money despite being unable to help their victims at all.
German Users are Again the Targets of a Data Wiper
The first reports from victims of the Ordinypt Wiper were published online on September 11, 2019, but this is not the initial time that malware researchers have encountered this threat certainly. It also goes by the name ‘HSDFSDCrypt Ransomware,’ and it was first used in 2017. The campaign back then also targeted German systems exclusively. Currently, the Ordinypt Wiper is being spread via fake job applications emails that claim to contain the CV of ‘Eva Richter.’ However, instead of a legitimate file, the recipients would be downloading a disguised ‘.exe’ file that carries the Ordinypt Wiper’s payload.
Once the wiper is initialized, it will begin to carry out the tasks necessary to damage the victim’s files and leave them with as few recovery options as possible immediately. The Ordinypt Wiper will:
- Damage the contents of all targeted file types by overwriting them with random characters. This is not decryptable, and it cannot be reversed reliably. The only way to restore the file is to replace it with a backup copy.
- Just like ransomware, the Ordinypt Wiper will rename all corrupted files by adding a random extension to the end of their name.
- The Ordinypt Wiper can terminate particular processes that may prevent it from overwriting the contents of some files.
- Spare specific file types, directories, and files to ensure that the user’s operating system will continue to work after the attack.
- Disable System Restore, the Windows 10 Recovery Environment, and wipe out the Shadow Volume Copies.
- Create a ransom message that urges the user to pay – found in ‘[random extension]_how_to_decrypt.txt.’
It seems that the ransom fee is hardcoded, as several victims of the Ordinypt Wiper were asked to pay exactly 0.1473766 Bitcoins or $1,500 approximately. Of course that you should not pay a single cent to the authors of the Ordinypt Wiper since they are not able to help. The best thing to do is to use an anti-virus engine to remove all files associated with the Ordinypt Wiper, and then try to restore from a backup.