Ordinypt, first reported as HSDFSDCrypt, is a trojan that currently proliferates over Germany. The infection looks like a trendy encryption-for-ransom. Looks can be deceiving.
On the other hand, Ordinypt is not a brand new type of malware. Its well-known counterpart, NotPetya, emerged back in June 2017. Like Ordinypt targets Germany, NotPetya has hit Ukraine. Both viruses notify their victims that their algorithms have encrypted the data on host machines. What could be worse for your data than a true encryption by ransomware? Well, fake encryption by malware, where such impacts actually destroy the data concerned.
Ordinypt replaces original content of files with random characters. Unlike encryption trojans, the malware does not transform files. It basically removes all the data under attack. Instead of those deleted the infection simply drops new items creating trash files half of the original size. Any ransom payments do not redeem a single bit of data hacked by the Ordinypt malware. Removal of Ordinypt is a universal response to the invasion.
The infection propagates with misleading emails. The trigger hides in the attachment in the files that pretend to be pdf items containing the CV and such like data related to the job application. The body of the message is available in flawless German.
Case studies of Ordinypt reveal the infection lurks is two executables attached in a zip file. The email also includes a jpg file, which is a job seeker photo. This file does not contain any malware, but the items in the zip archive do.
As stated above, those files are not true pdf files. They include misleading file icon. Due to the vulnerability in Windows procedure for displaying file icons the users readily believe they deal with pdf files.
The invader scans the affected PC for most of the types of data. The few exceptions are meant to spare enough system and software capacity to survive and connect to the hacker’s website. The hacker’s design is that the users find and read Wo_sind_meine_Dateien.html. This is the ransom note available in German to be found in any folder that contains the data destroyed by the fake ransomware. available in German. According to its message, a ransom payable in bitcoins (0.12 BTC) is to be transferred to the wallet specified.
Again, the infection is no ransomware. It is a wiper. The only reasonable response to the invasion is to remove Ordinypt wiper. Data recovery and the malware removal help is available below.
Automated cleanup to remove Ordinypt virus
1. Click the button to download the stub installer and go through several setup dialogs. Once the tool is up and running, click Start Computer Scan
2. Wait until the cleaner checks the PC for Ordinypt ransomware malicious code. As soon as the scan is completed, the report will list all malware objects spotted in the system. Make sure the entries for detected infections are checked, and select the Fix Threats feature. This will result in malware removal and system remediation, so you should now be good to go.
Restore the encrypted files
Ordinypt encryption is a sophisticated data modification. There is no simple and single solution to cover all the cases. Transferring the ransom as demanded by the crooks is not the way either.Kindly apply the methods outlined below as they have been carefully developed to provide a recovery help for the most severe cases of encrypting assaults.
Data recovery with automatic software
Good news is that the virus actually deals with copies of the files. The originals have been deleted. The removed data still can be restored by virtue of such tools as Data Recovery Pro.
Shadow Volume Copies
As Windows creates backups at given periods of time, a victim is advised to address relevant restore points. Unfortunately, the method cannot apply unless the System Restore had been enabled prior to the invasion. Please also note the recovery returns files as saved before the time associated with the restore point addressed.
- Previous Versions dialog to target individual files
One can open Properties for any file. The menu has a tab called Previous Versions. It indicates versions of a file that have been backed up.
To make use of the feature, right-click an affected file and choose Properties in the drop-down list. Proceed with clicking the above-mentioned tab. You can opt between the Copy or Restore procedures, the former enabling to copy the item into the location specified by the user.
Backups and removing remaining traces of ransomware
Prevention is the best cure. If you stick to making regular reserve copies of your data and store those outside your operating system, the impacts by the ransomware are very limited. However, prior to copying the data from backups into the system hit by Ordinypt ransomware, make sure the removal of this virus has completed.
Your manual removal attempts may kill the ransomware in general. In most of the cases, some remnants manage to survive and are still capable of causing a significant damage. Please apply a reliable anti-malware scanner to detect and remove, if applicable, any remaining infections.