KnowBe4 Security Awareness Training Blog

Germany Gets Hit With Destructive Filewiper Phishing Attack

Written by Stu Sjouwerman | Sep 16, 2019 6:00:00 AM

 

A new criminal campaign is underway that pretends to be a job application from "Eva Richter" who is sending "her photo and resume". This resume, though, is actually an executable masquerading as a PDF file that destroys a victim's files by installing the Ordinypt Wiper.

Ordinypt is a destructive malware commonly targeted at German people that pretends to be ransomware that encrypts your files and then demands victim's pay a ransom to get their files back. Unfortunately, even if a user pays the ransom, the files have been overwritten with garbage and cannot be decrypted.

Fake 'Eva Richter' job application

This campaign is currently targeting German speaking victims and pretending to be a job application from a person named "Eva Richter". These emails will have a subject line of "Bewerbung via Arbeitsagentur - Eva Richter".

The spam emails contain a stock photo image of a woman, who is supposed to be our job applicant, and a zip file named "Eva Richter Bewerbung und Lebenslauf.zip" that pretends to be her resume.

From the samples and ransom notes seen by BleepingComputer, this campaign appears to have started around September 11th, 2019.

Destroying the data

Once Ordinypt ​​​​​​ is started, it will begin to destroy the files on a victim's computer. This process is almost identical to how a ransomware works, such as skipping files, terminating processes, not wiping certain certain extensions, and even appending an extension to the 'encrypted' files as shown below.

Training Your Users

Your end-users are the weak link in your IT Security. They need to be sent simulated phishing attacks that look as close as possible like the real thing. That way they will recognize real attacks when they make it through all the filters into their inbox. Bleepingcomputer has the technical details.