Why are cybercriminals disguising wipers as ransomware?

There’s a new spam campaign in town. Disguised as a job application from a person named “Eva Richter”, the campaign aims to infect German-speaking users with a strain of malware known as Ordinypt.

Ordinypt resembles your run-of-the-mill ransomware but contains no mechanism that allows users to retrieve their files. Instead, it simply overwrites the data, rendering it permanently irrecoverable. The destructive nature of Ordinypt means there’s no incentive for victims to pay the ransomware, which begs the question: what’s the point?

How does the Ordinypt spam campaign work?

The Ordinypt spam campaign targets German-speaking people with emails that appear to be a job application. The emails are sent from “Eva Richter” and have the subject line “Bewerbung via Arbeitsagentur – Eva Richter” (“Application via employment office – Eva Richter”).

The body of the email contains the following text (translated from German):

Dear Sirs and Madams,

I hereby apply for the position offered by you at the Employment Agency.

The field of activity you describe corresponds especially to my career prospects. My application documents are attached.

I would be very happy about an invitation to a personal job interview.

Yours sincerely,

Eva Richter

The emails contain an attached zip file that purports to be Eva’s resume. Inside the zip file is a file called “Eva Richter Bewerbung und Lebenslauf.pdf.exe”. Opening this file executes the Ordinypt malware, which seemingly begins to encrypt the victim’s files and adds an extension to the encrypted files.

When the process is complete, a ransom note is created. The note instructs victims to make a payment at a Tor site in order to receive a decryptor, which will allow them to recover their files. In the examples seen by BleepingComputer, the ransom amount was 0.145 BTC, or roughly $1,500.

============================ WELCOME ========================================== DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAS BEEN RECOVERED! ==============

All of your files have been encrypted and now have the file extension: .MyyqA

The only way to recover your files is to purchase our decrypter software, which will only work for your PC.

For further instructions how to decrypt your files, please download the TOR Browser

========================================================

1. Download Tor Browser from: https://www.torproject.org

2. Install and open TOR Browser

3. Navigate to the following url: http://2u6gynsdszbd7ey3.onion/

4. Enter your access code

Your access code:

xxx

Copy & Paste it into the access code field

========================================================

Warning:

DO NOT MODIFY ANY OF THE ENCRYPTED FILES OR TRY OTHERWISE TO DECRYPT THEM YOURSELF

YOU RISK DAMAGING THE FILES AND YOU WILL LOOSE YOUR FILES FOREVER!

From the encryption process to the ransom note, Ordinypt bears all the hallmarks of conventional ransomware. However, this is merely a disguise. Ordinypt is actually a wiper, a class of malware that is designed to destroy files. Files that have been affected by Ordinypt cannot be recovered, so if you have been infected with this malware do not pay the ransom – you’re not going to be able to decrypt your files.

Files that have been affected by Ordinypt cannot be recovered, so if you have been infected with this malware do not pay the ransom – you’re not going to be able to decrypt your files.

What’s the point?

Ordinypt isn’t the only wiper we’ve seen masquerading as ransomware recently. In early August 2019, GermanWiper caused headaches for German companies, permanently destroying users’ data while demanding ransom payments. In fact, destructive malware in general seems to be becoming more common, with IBM reporting that its X-Force Incident Response and Intelligence Services team saw a 200% increase in destructive malware cases between the second half of 2018 and the first half of 2019.

What do cybercriminals stand to gain by disguising their malware as ransomware?

The financial aspect

Well, they’re probably not in it for the money. While many ransomware attacks involve a wiper component, the wiper is typically used for extortion – to highlight the plight of the victim. The threat of permanent data destruction acts as a strong incentive for organizations to cough up the ransom, which results in more profits for the cybercriminals. Financial gain, not random destruction, is usually the primary goal of ransomware, and wipers are used as a means of achieving this goal.

In the case of Ordinypt, the motivation is a little less clear, but one thing’s for sure: financial gain probably isn’t the main objective. What makes ransomware so profitable is the fact that the cybercriminals generally hold up their end of the bargain – that is, if the victim pays the ransom, the cybercriminals will send them a decryptor that will allow them to recover their files. With Ordinypt and other wipers that are disguised as ransomware, victims know they have no chance of ever getting their files back, so there’s no incentive to even consider paying the ransom.

Economic disruption

Sometimes the purpose of obscuring wipers as ransomware is to achieve large-scale economic disruption. For example, in 2017, after a string of high-profile ransomware attacks, NotPetya was released upon the world.

Initially, NotPetya seemed like conventional ransomware designed to generate as much money as possible, but security researchers quickly realized something was amiss. The ransomware’s rudimentary payment and communication system meant long-term profit was never the main goal.

Instead, many security experts believe Petya was destructive malware disguised as ransomware, and was created by Russian military hackers to destabilize financial systems in Ukraine as part of the countries’ ongoing conflict. All in all, NotPetya generated about $10,000 in ransom payments but caused more than $1 billion in economic disruption.

Disguise the attack

Fabian Wosar, Chief Technology Officer here at Emsisoft, has another theory. He believes the recent wiper attacks may be aimed at a specific target, but are being distributed in large-scale spam campaigns in order to conceal the identity of the target and therefore obscure the identity of the attacker.

For example, it might look very suspicious if a disgruntled ex-employee wanted to get revenge by carrying out a singular attack on the individual company that recently fired him. However, if that same ex-employee were to send the malware to ten thousand organizations under the guise of a mass ransomware campaign, it might be a lot more challenging for authorities to pinpoint a suspect.

It’s possible that cybercriminals are taking a similar approach and using spam campaigns to hide their true target and, by association, their own identity.

Preventing wiper attacks

Regardless of the motivation behind these wipers-disguised-as-ransomware attacks, the fact remains that destructive malware poses a serious threat to companies around the world. A robust antivirus solution, frequent staff training and a comprehensive disaster recovery strategy are essential ingredients for any organization that wishes to mitigate the effects of malware in the months ahead.