News broke yesterday of a new ransomware discovered by security researchers from G Data Security, which is targeting German users, and intentionally destroying files, with the initial email and ransom note also written in German. Andy Norton, Director of Threat Intelligence at Lastline commented below.
Andy Norton, Director of Threat Intelligence at Lastline:
“Ordinypt, is a mysterious case. The method of infection has been documented for at least 6 months, it is essentially a fake email HR job application using the same photo but changing the female applicants name and updating the payload to reflect this. In this case the name used was Viktoria Henshel, but previous versions of this campaign date back to May, beginning with Giselle Wolf. All previous versions of this campaign have used Cerber as a ransomware payload- an extremely popular Ransomware payload with a well functioning payment method. This latest attack using the name Viktoria Henshel does not use Cerber, and has a very poor implementation of a payment method, suggesting that the threat actor does not want to get paid a ransom but merely wishes to destroy data of the targeted organisations. We may speculate that this change in motivation may indicate a copycat threat actor; Someone who is copying the tools, tactics and procedures of one established threat group, but has a very different motive.”
