Ordinypt Ransomware Destroys Files Instead of Encrypting Them

Ordinypt ransomware virus is new. For now, it targets only German victims, however, this can change soon.

The distinctive feature of Ordinypt is its way to deal with user files. The virus in question rewrites data with random info making the file unsuitable for use and literary destroying it.

This ransomware is being spread by means of spam emails. The email itself and ransom note are written in German without any grammar or lexical errors. It means German is the native language of the Ordinypt ransomware creator.

Most emails that malware researchers found this week pretend to be CVs (resumes) sent in reply to job offers. These malicious emails carry two files as attachments. These are an image of the woman (who is supposedly replying to job adverts) and a ZIP archive with the resume.

Attachments are called Viktoria Henschel - Bewerbungsunterlagen.zip and Viktoria Henschel - Bewerbungsfoto.jpg.

There are two executable files inside the ZIP archive. Both of them use old tricks like custom icon and double extension to fool the victims into believing they see PDF docs. By default, Windows will hide the known extension and so victims cannot see the EXE extension. Users will see only the PDF name.


Once launched, the executable will start the virus which is going to search for files and change the contents with random numbers and letters. Again, Ordinypt does not apply any encryption but rewrites the file contents. It looks like authors want their virus to resemble ransomware. In fact, Ordinypt is a wiper.

The same algorithm employed for generating random data inside the affected files is used to create a new file name which consists of 14 alpha-numeric characters.

Infected users may find a ransom note inside every folder. Its name is: Wo_sind_meine_Dateien.html.

There is no way for the victim to find his\her infection ID. There is also no indication on how to contact the hacker in order to receive the files back. Ordinypt just provides a random Bitcoin address which is selected from 101 address hardcoded inside the virus.

All these virus characteristics show intentional file destruction motives. Virus authors want just to damage computer systems rather than gain profits from their malware.

Masking as job applications and aiming at human resource departments allows hackers to damage plenty of businesses as most of them are in constant search of new employees.