A new ransomware strain called Ordinypt (also known under the cryptic name “HSDFSDCrypt” or completely Win32.Trojan-Ransom.HSDFSDCrypt.A) is currently targeting victims in Germany, but instead of encrypting users’ documents, the ransomware rewrites files with random data. The malware is distributed via e-mail with an alleged application for a job posting.
When originally discovered by Michael Gillespie when one of its ransom notes was uploaded to ID-Ransomware, it was named HSDFSDCrypt for lack of a better name but has since been changed to Ordinypt by G Data. According to G Data, it is currently mainly affecting users from Germany.
This Monday, G Data analyst Karsten Hahn has taken a closer look at the ransomware and found a sample and discovered that it has been targeting German users (based on VirusTotal detections) via emails written in German, and delivering ransom notes in an error-free German language.
Similar to how the original Petya Ransomware was distributed, Ordinypt is also pretending to be resume being sent in reply to job adverts. These emails contain two files — a JPG image of the woman supposedly sending a resume, and a ZIP file containing the resume and a curriculum vitae. These attachments are named Viktoria Henschel – Bewerbungsfoto.jpg and Viktoria Henschel – Bewerbungsunterlagen.zip.
Striking is first of all that Ordinypt is written in a ransomware unusual programming language (Delphi). The data is encrypted as with any Ransomware, the file names seemingly randomly were chosen. In the files themselves, the encrypted data is encoded again (in base64); why this is so and what purpose the creators pursue with it, is still unclear at the present time.
Such an attack, targeted at HR departments with customized cover letters, made headlines at the turn of the year 2016/17. At that time, police and federal authorities warned of a ransomware called Goldeneye, which was distributed in attached Excel files.