A new scam campaign disguised as a job application is attempting to infect German-speaking users with the destructive Ordinypt malware.
In a report by Bleeping Computer, the campaign is aimed at German-speaking employers. The campaign sends an email that appears to be a job application from someone named “Eva Richter”.
The email also contains a stock photo image of a woman and a zip file named “Eva Richter Bewerbung und Lebenslauf.zip” which is supposed to be the alleged woman’s resume. But really the zip file is a malicious file that delivers Ordinypt.
If a user opens the file, the malware will flash various colours on the computer and screen and start to encrypt the victim’s computer. As soon as Ordinypt is started it will start to destroy the files on the victim’s computer. The malware also deletes shadow volume copies.
“This process is almost identical to how a ransomware works, such as skipping files, terminating processes, not wiping certain certain extensions, and even appending an extension to the ‘encrypted’ files.”
A ransom note will be found in each folder, with instructions to make a payment via a Tor site in order to get a decryptor. However, there is absolutely no point in paying the ransom, as the malware is not ransomware but rather a destruction wiper. Therefore, if a victim was to pay the ransom they would still not be able to regain their files.
There have been some instances where the shadow volume copies were not deleted, so if the victim was not affected by the wiper, then they have a chance of restoring their files from Shadow Volume Copies.
It is advised that users have an offline backup of their data in a separate hard drive, and to always check the nature of any file received before opening them.
The post #privacy: Ordinypt malware targeting German users through fake resumes appeared first on PrivSec Report.