The backdrop
A new spam campaign disguised as a job application from a person named “Eva Richter” distributes the destructive malware ‘Ordinypt Wiper’ onto victims’ systems.
How does the campaign work?
This spam campaign targets the German people with phishing emails disguised as a job application. This campaign has been spotted around since September 11, 2019.
The ransom note
After encrypting victims’ files, the malware drops a ransom note named [extension]_how_to_decrypt.txt. The ransom note contains payment instructions to get a decryptor.
Ordinypt Wiper demands a ransom amount of 0.1473766 BTC, which is approximately $1,518.92.
“All of your files have been encrypted and now have the file extension .MyyqA. The only way to recover your files is to purchase our decryptor software, which will work only for your PC.
For further instructions on how to decrypt your files, please download the TOR browser,” the ransom note read, BleepingComputer reported.
What to watch for?
Ordinypt works like ransomware such as skipping files, terminating processes, encrypting files, appending an extension to the 'encrypted' files, and dropping ransom notes. It also deletes shadow volume copies and disables the Windows 10 recovery environment after encrypting files.
However, unlike ransomware, Ordinypt destroys and wipes the encrypted files on a victim's computer. Therefore, even if victims make ransom payments and purchase a decryptor, they will not be able to recover their files.
Publisher