Ordinypt: alleged blackmail Trojan outbreak in Germany are puzzles
The recently appeared ransomware Ordinypt deletes files instead of encrypting them and targets fake PDF files on German HR departments. However, there are hardly any signs of infection in the wild.
For a few days, security researchers have been investigating the blackmail Trojan, Ordinypt (or HSDFSDCrypt), which seems to be targeting German companies. Instead of encrypting the data of his victims, he simply deletes them and still demands ransom.
Curiously enough, the Trojan is written in Delphi, a programming language that is not very common these days, especially with malware. It is also striking that so far there are virtually no reports of outbreaks in the wild.
A malicious sample of malware renames a large number of files of various endings (from image and video files to various documents to backup archives) and deletes their contents. Files in the Windows directory are usually spared. The Trojan also creates an HTML message with a blackmail message that uses JavaScript to select a Bitcoin address from a list of nearly one hundred possible addresses.
Tests by Heise Security showed that the malicious code on Windows XP, Vista, 7 and 8 successfully deletes file contents. An up-to-date Windows 10 system survived the attack for us unknown reasons without damage.
Therefore, it is unclear whether Ordinypt has caused any appreciable damage in Germany and what purpose the authors of the Trojan have ultimately pursued. At first glance, it seems to be a Wiper Trojan, which, like NotPetya and WannaCry, is mainly intended to cause confusion and damage rather than blackmail as much money as possible. On the other hand, these outbreaks quickly produced a huge amount of infected systems, whereas Ordinypt seems to have done little or no harm.
For a few days, security researchers have been investigating the blackmail Trojan, Ordinypt (or HSDFSDCrypt), which seems to be targeting German companies. Instead of encrypting the data of his victims, he simply deletes them and still demands ransom.
Curiously enough, the Trojan is written in Delphi, a programming language that is not very common these days, especially with malware. It is also striking that so far there are virtually no reports of outbreaks in the wild.
Disguised as PDF EXE files
Various security researchers have now examined the malicious code quite well. It is sent as a ZIP archive attached to a well-made phishing mail. If the victim of this archive opens, two EXE files are extracted, which are camouflaged with the extension .pdf.exe and an adapted icon as legitimate PDF documents. In particular, users who have disabled the display of file extensions (which is the default setting for modern versions of Windows) may think that these are PDF files. If the victim double-clicks on one of the two files (an alleged application and a CV by name), the Trojan becomes active.A malicious sample of malware renames a large number of files of various endings (from image and video files to various documents to backup archives) and deletes their contents. Files in the Windows directory are usually spared. The Trojan also creates an HTML message with a blackmail message that uses JavaScript to select a Bitcoin address from a list of nearly one hundred possible addresses.
Tests by Heise Security showed that the malicious code on Windows XP, Vista, 7 and 8 successfully deletes file contents. An up-to-date Windows 10 system survived the attack for us unknown reasons without damage.
Averted outbreak?
According to previous research, the malware was discovered when an unknown person uploaded the extortion message of the Trojan ID service Ransomware. Later, a security researcher from G-Data then discovered a copy of the malicious code. So far, Heise Security no companies or individuals outside of the IT security community are known, the Ordinypt would have received by mail, let alone infected. Currently, most well-known anti-virus programs discover the pest, so that almost all users with the latest virus protection against infection would have to be prepared.Therefore, it is unclear whether Ordinypt has caused any appreciable damage in Germany and what purpose the authors of the Trojan have ultimately pursued. At first glance, it seems to be a Wiper Trojan, which, like NotPetya and WannaCry, is mainly intended to cause confusion and damage rather than blackmail as much money as possible. On the other hand, these outbreaks quickly produced a huge amount of infected systems, whereas Ordinypt seems to have done little or no harm.
Post a Comment