Ordinal Ransomware

The Ordinal Ransomware is a Trojan that locks files of personal interest to the user, such as documents, by encoding them with AES encryption. Its Hidden Tear-based payload also includes generating text messages that ask you to pay Bitcoins for restoring this media, although malware experts caution against ransom payments, which are, at best, non-guaranteed recovery solutions. Both free decryption utilities and backups can restore your files from these attacks, and dedicated anti-malware software can delete the Ordinal Ransomware to halt all ongoing symptoms.

Freeware Trojans with a Few After-the-Fact Precautions

More threat actors are showing an interest in turning the readily-available code of Hidden Tear towards real campaigns of first, blocking digital content, and then collecting ransoms. Unusually, for its family, the new the Ordinal Ransomware variant isn't a direct copy-paste that only has edited ransom-collecting information. Its still unidentified administrators also have added some minor, extra features to the Ordinal Ransomware that aren't in the original Hidden Tear, which could help the threat sidestep being detection.

To lock any files, which includes such formats as XLS spreadsheets, PDF or DOC documents, JPG or GIF images, and ZIP archives, the Ordinal Ransomware uses a conventional, AES-256 algorithm to encipher content while searching your hard drives. Like most Trojans of its type, the Ordinal Ransomware displays no ongoing symptoms while scanning for files to lock. However, malware experts did find the Ordinal Ransomware appending '.Ordinal' extensions to both all blocked data and (possibly due to an oversight) its text ransom note.

The Trojan provides instructions for paying one Bitcoin to buy its threat actor's decryption program and key and also resets the desktop image to an abstract picture from its payload. However, the Ordinal Ransomware's most creative feature is an anti-debugging function customized for avoiding detection by network-monitoring utilities and related analysis tools, of which malware experts are pointing out Wireshark, Fiddler, dnSpy and ILSpy. This precaution isn't standard to Hidden Tear and implies a bare-bones degree of familiarity with security practices on the part of its creators.

Coordinating a Safe Escape from Inordinate Demands

While the Ordinal Ransomware is fully functional and can damage files with its locking feature indefinitely, malware experts have yet to confirm which distribution exploits the Trojan's campaign is using. Threat actors trying to lock content on either business networks or recreational systems can compromise them through brute-force theft of logins, disguised email spam, or an exploit kit run through a corrupted website. Following standard password security recommendations, scanning new downloads with appropriate security software, and disabling content like in-browser scripts may interrupt the Ordinal Ransomware's installation process.

The Ordinal Ransomware has more functions grafted onto its attacks than the average, quick clone of Hidden Tear. Its payload, however, is susceptible to being mitigated by any PC users who make backups of their files similarly, on removable devices or cloud servers that the Trojan can't harm particularly. Many anti-malware programs also are capable of removing the Ordinal Ransomware and identifying it as a threat before it starts locking any media.

To some extent, the Ordinal Ransomware protects itself from analysis, but even the most advanced Trojans can't damage files that they can't access. Keeping copies of work and personal belongings somewhere safe is more than a little cheaper than paying over five thousand dollars in cryptocurrency.

Technical Details