loader gif

New spam campaign targets German speaking users with Ordinypt Wiper

New spam campaign targets German speaking users with Ordinypt Wiper
  • This spam campaign targets the German people with phishing emails disguised as a job application.
  • Unlike ransomware, Ordinypt destroys and wipes the encrypted files on a victim's computer.

The backdrop

A new spam campaign disguised as a job application from a person named “Eva Richter” distributes the destructive malware ‘Ordinypt Wiper’ onto victims’ systems.

How does the campaign work?

This spam campaign targets the German people with phishing emails disguised as a job application. This campaign has been spotted around since September 11, 2019.

  • The phishing emails will have a subject line similar to “Bewerbung via Arbeitsagentur - Eva Richter”.
  • The emails contain a stock photo image of the job applicant, and a zip file named “Eva Richter Bewerbung und Lebenslauf.zip” disguised as a resume.
  • The zip file attachment includes a malicious file called “Eva Richter Bewerbung und Lebenslauf.pdf.exe” which is an executable that installs the Ordinypt malware.
  • Once installed, Ordinypt will flash the screen in various colors and then starts encrypting the victim's computer.

The ransom note

After encrypting victims’ files, the malware drops a ransom note named [extension]_how_to_decrypt.txt. The ransom note contains payment instructions to get a decryptor.

Ordinypt Wiper demands a ransom amount of 0.1473766 BTC, which is approximately $1,518.92.

“All of your files have been encrypted and now have the file extension .MyyqA. The only way to recover your files is to purchase our decryptor software, which will work only for your PC.

For further instructions on how to decrypt your files, please download the TOR browser,” the ransom note read, BleepingComputer reported.

What to watch for?

Ordinypt works like ransomware such as skipping files, terminating processes, encrypting files, appending an extension to the 'encrypted' files, and dropping ransom notes. It also deletes shadow volume copies and disables the Windows 10 recovery environment after encrypting files.

However, unlike ransomware, Ordinypt destroys and wipes the encrypted files on a victim's computer. Therefore, even if victims make ransom payments and purchase a decryptor, they will not be able to recover their files.

loader gif