Why are cybercriminals disguising wipers as ransomware?

[harlan4096]

There’s a new spam campaign in town. Disguised as a job application from a person named “Eva Richter”, the campaign aims to infect German-speaking users with a strain of malware known as Ordinypt.

Ordinypt resembles your run-of-the-mill ransomware but contains no mechanism that allows users to retrieve their files. Instead, it simply overwrites the data, rendering it permanently irrecoverable. The destructive nature of Ordinypt means there’s no incentive for victims to pay the ransomware, which begs the question: what’s the point?

How does the Ordinypt spam campaign work?

The Ordinypt spam campaign targets German-speaking people with emails that appear to be a job application. The emails are sent from “Eva Richter” and have the subject line “Bewerbung via Arbeitsagentur – Eva Richter” (“Application via employment office – Eva Richter”).

The body of the email contains the following text (translated from German):

Dear Sirs and Madams,

I hereby apply for the position offered by you at the Employment Agency.

The field of activity you describe corresponds especially to my career prospects. My application documents are attached.

I would be very happy about an invitation to a personal job interview.

Yours sincerely,

Eva Richter

The emails contain an attached zip file that purports to be Eva’s resume. Inside the zip file is a file called “Eva Richter Bewerbung und Lebenslauf.pdf.exe”. Opening this file executes the Ordinypt malware, which seemingly begins to encrypt the victim’s files and adds an extension to the encrypted files.

When the process is complete, a ransom note is created. The note instructs victims to make a payment at a Tor site in order to receive a decryptor, which will allow them to recover their files. In the examples seen by BleepingComputer, the ransom amount was 0.145 BTC, or roughly $1,500.
...

Continue Reading