13. December 2019
Through a recommendation from the Technical Monitoring Association (TÜV), we received an inquiry from an advertising agency whose RAID system had been infected with the Ordinypt Trojan. The system was infected by opening a malicious attachment (a zip archive) that contained and executed the malware. The Microsoft Outlook e-mail program was used directly on the server so that the ransomware could nest directly on the server, spread and cause immense damage. There was also a NAS data backup, which was also attacked by Ordinypt. It was on a WD My Cloud Mirror network storage.
In the panic of the cyber attack, the server was subsequently encrypted with GDATA and various data recovery software was installed and executed. A data recovery from the RAID 5 server therefore did not appear promising. It was primarily focused on the backup NAS. The RAID 1 mirroring contained many files with the file extension .Ity9A, which Ordinypt had assigned after encrypting the file. Other data had been partially overwritten by the crypto-Trojan. Accordingly, the optimism of the technicians was initially reserved that the customer would get the data back.
As part of data recovery, the entire NAS data backup was searched. A large number of deleted files could be found and reconstructed without a file name or structure. In consultation with the customer, the recovered data was classified and evaluated to determine how successful the attempt to restore it was. It turned out that by restoring the anonymous deleted data, almost the entire data loss could be compensated. Even the SQL database could be reconstructed and was functional. The customer had only lost a few days of work and was able to act again promptly after the data recovery by Attingo.
The blackmailer Trojan Ordinypt is not ransomware in the strict sense: data is encrypted, deleted or overwritten and there is a ransom note; however, after paying the extorted amount, you do not receive a key to retrieve the data. There was a similar approach this year with GermanWiper. Ordinypt is one of the wipers - not ransomware in the strict sense. It is suspected that existing malware that was designed for maximum damage was rewritten and used for ransomware attacks. However, without the firm intention of ever guaranteeing access to the data again.