Ordinypt
Intelligence Profile
This malware claims to be a ransomware, but it's actually a wiper. After execution, this malware terminates a number of processes such as database processes, likely to allow access to any files that these programs may have held open. Ordinypt will avoid wiping certain files and folders in order to prevent the infected machine from becoming unusable. Affected files are overwritten with null character and receive a random 5 character file extension. Finally, shadow copies are removed and Windows startup repair is disabled to complicate recovery of data from the affected system. The desktop background is changed and a ransom note is dropped for the victim. A C2 check-in occurs to keep track of the file extension used on that specific machine, as well as which BitCoin address was randomly provided for payment to the victim (drawn from a long list stored in the ransomware configuration).
Threat Analysis
Ordinypt is a high-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of financial.
Financially motivated threat actors like Ordinypt prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.
With high sophistication, Ordinypt is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.