{
	"id": "31e0d99f-7d6e-4d83-a693-abbad69343df",
	"created_at": "2026-04-06T00:12:55.548442Z",
	"updated_at": "2026-04-10T03:21:33.061774Z",
	"deleted_at": null,
	"sha1_hash": "1c6ced991b51fc6f05d3bb76905a40bd8ed00314",
	"title": "Ordinypt Ransomware Intentionally Destroys Files, Currently Targeting Germany",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1743281,
	"plain_text": "Ordinypt Ransomware Intentionally Destroys Files, Currently Targeting\r\nGermany\r\nBy Catalin Cimpanu\r\nPublished: 2017-11-09 · Archived: 2026-04-05 20:42:33 UTC\r\nA new ransomware strain called Ordinypt is currently targeting victims in Germany, but instead of encrypting users'\r\ndocuments, the ransomware rewrites files with random data.\r\nThis ransomware was first discovered by Michael Gillespie when one of its ransom notes was uploaded to ID-Ransomware.\r\nThis Monday, G Data security researcher Karsten Hahn, found a sample and discovered that it has been targeting only\r\nGerman users (based on VirusTotal detections) via emails written in German, and delivering ransom notes in an error-free\r\nGerman language.\r\nWhen originally discovered by Michael, it was named HSDFSDCrypt for lack of a better name, but has since been changed\r\nto Ordinypt by G Data.\r\nSimilar to how the original Petya Ransomware was distributed, Ordinypt is also pretending to be resumes being sent in reply\r\nto job adverts. These emails contain two files — a JPG image of the woman supposedly sending a resume, and a ZIP file\r\ncontaining the resume and a curriculum vitae.\r\nhttps://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/\r\nPage 1 of 9\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/\r\nPage 2 of 9\n\nVisit Advertiser websiteGO TO PAGE\r\nThese attachments are named Viktoria Henschel - Bewerbungsfoto.jpg and Viktoria Henschel -\r\nBewerbungsunterlagen.zip.\r\nThe ZIP archive contains two EXE files that use the old double-extension and custom icon tricks to fool users into thinking\r\nthey're different files. In this case, PDF files.\r\nOn Windows PCs that hide the file extensions by default, the EXE extension will not show up, and users will only see the\r\nPDF part, enough to fool users into believing the files are legitimate PDFs, and not an executables.\r\nOrdinypt replaces files with random data\r\nhttps://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/\r\nPage 3 of 9\n\nRunning either executable will launch the Ordinypt ransomware, or better yet, the Ordinypt wiper. Ordinypt is actually a\r\nwiper and not ransomware because it does not bother encrypting anything, but just replaces files with random data.\r\nAccording to reverse engineer Philipp Mackensen, Ordinypt will replace the contents of files with random generated\r\ncharacters consisting of uppercase and lowercase letters and numbers.\r\nFile names and content are generated by the same function (only needs a length as input) which randomly\r\ngenerates a string that consists of uppercase, lowercase and numeric characters . File size can differ between 8KB\r\nand 24KB (also random). Doesn't encrypt .png files tho.\r\n— Philipp Mackensen (@PMackensen) November 9, 2017\r\nPhilipp further told Bleeping Computer that the wiper performs a search for files just like any other ransomware, but just\r\n\"creates a \"pseudo-encrypted-file\" which in reality is just a garbage file and deletes the original file afterwards.\". Philipp\r\nfurther went on to say that they were most likely doing this to look like a ransomware, while disguising the fact that it is a\r\nwiper.\r\nThe same algorithm used to generate the random data is also used to generate the new \"pseudo-encrypted-file's\" name,\r\nwhich is made up of 14 random alpha-numeric characters.\r\nOrdinypt doesn't even bother hiding its destructive nature, as the new files are sometimes more than half the size of the\r\noriginals.\r\nhttps://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/\r\nPage 4 of 9\n\nOrdinypt also drops a ransom note in every folder where it destroys files. The ransom note is named\r\nWo_sind_meine_Dateien.html, which translates to Where_are_my_files.html.\r\nhttps://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/\r\nPage 5 of 9\n\nOrdinypt is a wiper disguised as ransomware\r\nThe intentional data destruction behavior is evident in the way the ransom note was coded.\r\nUsually, ransomware strains show an infection ID and a Bitcoin address, Dark Web URL, or email address where victims\r\ncan contact the ransomware's operator and confirm the ransom payment.\r\nOrdinypt does not list an infection ID, nor does it ask for a file from where the ransomware's authors can extract such an ID.\r\nInstead, Ordinypt's ransom note uses a JavaScript function to select a random Bitcoin address from a list of 101 hardcoded\r\nwallet addresses.\r\nhttps://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/\r\nPage 6 of 9\n\nFurthermore, there's no way of contacting the faux ransomware's authors and verifying the payment. All evidence points to\r\nthe fact that someone coded Ordinypt with the intention to damage computers.\r\nThe targeting of HR departments via job application emails also speaks volumes about this being an intentional campaign to\r\ndamage the operations of some Germany-based companies.\r\nOrdinypt is not the first wiper disguised as ransomware. The most famous case is NotPetya, the faux ransomware that hit the\r\nUkraine in late June, but quickly spread to companies all over the world.\r\nIOCs:\r\nOrdinypt / HSDFSDCrypt Hash:\r\nSHA256: 085256b114079911b64f5826165f85a28a2a4ddc2ce0d935fa8545651ce5ab09\r\nOrdinypt / HSDFSDCrypt Spam email text:\r\nSehr geehrte Damen und Herren,\r\nanbei erhalten Sie meine Bewerbung für Ihre bei der Arbeitsagentur ausgeschriebene Stelle. Warum ich die Stelle optimal au\r\nIch freue mich, wenn ich mich Ihnen noch einmal persönlich vorstellen kann.\r\nMit freundlichen Grüßen,\r\nViktoria Henschel\r\nTranslated Spam:\r\nDear Sir or Madam,\r\nEnclosed you will receive my application for your job advertised at the Employment Agency. Please see my detailed and atta\r\nI'm glad if I can introduce myself once again.\r\nBest regards,\r\nViktoria Henschel\r\nOrdinypt / HSDFSDCrypt Ransom note text:\r\nhttps://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/\r\nPage 7 of 9\n\nIhre Dateien wurden verschlüsselt!\r\nSehr geehrte Damen und Herren,\r\nWie Sie mit Sicherheit bereits festgestellt haben, wurden alle Ihre Dateien verschlüsselt.\r\nWie erhalte ich Zugriff auf meine Dateien?\r\nUm Ihre Dateien erfolgreich zu entschlüsseln, benötigen Sie unsere Spezielle Software und den dazugehörigen Decrypt-Key.\r\nWo bekomme ich die Software?\r\nDie Entschlüsselungs-Software können Sie bei uns erwerben.\r\nDer Preis für die Entschlüsselungs-Software beläuft sich auf 0.12 Bitcoin (ca. 600 Euro).\r\nBitte beachten Sie, dass wir ausschließlich Bitcoin für den Erwerb der Software akzeptieren.\r\nWo bekomme ich Bitcoin?\r\nBitcoin können Sie Online sowie Offline erwerben, eine Liste empfohlener Anbieter folgt:\r\nhttps://www.bitcoin.de/de/ - Online\r\nhttps://localbitcoins.com/ - Online / Offline\r\nhttps://btcdirect.eu/de-at - Online\r\nhttps://www.virwox.com - Online\r\nZahlungsanweisungen\r\nBitte transferieren Sie exakt 0.12 Bitcoin an folgende Addresse: 14DeorRVAaqEeLugPHhcHdejyEAL26gdpx\r\nNach erfolgreichem Zahlungseingang erhalten Sie automatisch die Entschlüsselungs-Software sowie den dazugehörigen Decrypt-ACHTUNG!\r\nSollten wir innerhalb von 7 Tagen keinen Zahlungseingang feststellen, gehen wir davon aus, dass Sie kein Interesse an der\r\nIhre Dateien wurden mit einem 256-Bit AES Algorithmus auf Militärqualität verschlüsselt. Wir empfehlen Ihnen keine Zeit mi\r\nBonus\r\nZusätzlich zur Entschlüsselungs-Software erhalten Sie nach erfolgreicher Zahlung, hinweise wie die Schadsoftware auf Ihre\r\nhttps://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/\r\nPage 8 of 9\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/\r\nhttps://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/"
	],
	"report_names": [
		"ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany"
	],
	"threat_actors": [],
	"ts_created_at": 1775434375,
	"ts_updated_at": 1775791293,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1c6ced991b51fc6f05d3bb76905a40bd8ed00314.pdf",
		"text": "https://archive.orkl.eu/1c6ced991b51fc6f05d3bb76905a40bd8ed00314.txt",
		"img": "https://archive.orkl.eu/1c6ced991b51fc6f05d3bb76905a40bd8ed00314.jpg"
	}
}