Although Ordinypt is classified as a ransomware variant, it is actually falls into a new category of destructive malware known as a data wiper. Instead of encrypting files, this program actually destroys data by replacing file contents with randomly generated uppercase and lowercase letters and numbers. Ordinypt disguises itself as ransomware and is delivered to victims by way of an email attachment that contains two malicious executable files masquerading as a resume and curriculum vitae (CV). Both files are contained within a zip file and appear to end users as legitimate PDF documents. If either executable is run, Ordinypt will initiate its destructive process. A fake ransom note named Wo_sind_meine_Dateien.html, which translates to Where_are_my_files.html, is placed into every folder where files have been destroyed. Although dubbed a ransom note, the note does not contain any contact information where victims can receive decryption information or send ransom payment. It's important to note that, at the time of discovery, the Ordinypt campaign was only targeting German-based companies. However, the NJCCIC assesses with high confidence that malicious actors will increasingly deploy destructive disk-wiping malware against various targets worldwide in an effort to cause permanent damage to companies, organizations, and governments. We strongly recommend all organizations implement a robust data backup plan where comprehensive data backups are scheduled often, stored off the network in a secure location, and tested regularly.
- Bleeping Computer provides more information on Ordinypt here.
- As this variant doesn't actually encrypt the data, but rather destroys it by overwriting files with random characters, there is no free decryption tool available and data impacted by Ordinypt cannot be recovered.