Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


.osiris Extension Virus – Remove Locky Ransomware

stf-locky-ransomware-virus-osiris-extension-ransom-message-note

Attention! This article will help you remove .osiris file extension virus (Locky ransomware) successfully. Follow the ransomware removal instructions below carefully.

Locky ransomware has hit computers once more. This time, your files will become encrypted with the extension .osiris and the name of the encrypted files will also get changed. The malware creators seem to have changed their Norse mythology theme with the Egyptian one. Furthermore, there are changes to the code of the cryptovirus in attempt to avoid detection. A new spam campaign is distributing the malware with blank emails or such with only one line in them. They have files attached with unusual extensions like .342, .343, .552 or with .xls, .tdb, .zk and some emails have one sentence urging users to open the attachment. To see if you can try to restore some of your files read till the end.

Threat Summary

Name .osiris Virus
Type Ransomware, Cryptovirus
Short Description The ransomware encrypts your data and then displays a ransom message with instructions for payment.
Symptoms Encrypted files will have the .osiris extension appended to them.
Distribution Method Spam Emails, Email Attachments (.xls, .tdb, .zk, .342, .343, .552)
Detection Tool See If Your System Has Been Affected by .osiris Virus

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss .osiris Virus.
Data Recovery Tool Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.osiris Virus – Infection Spread

.osiris virus – the latest iteration of the Locky ransomware has been spread by a new malware spam campaign and two main types of emails. The malware creators are spreading their virus with a completely blank email or with one, which is urging users to see an attached file. Both types of emails are using an attachment with random numbers as its name with these extensions – .xls, .tdb, .zk, .342, .343, .552.

The body of the second type of email can be seen down here:

From: “Marina” [email protected]
Subject: Emailing: _0828817_36073220

Your message is ready to be sent with the following file or link
attachments:

_0828817_36073220

Attachment: _0828817_36073220.xls

The attachment in most such electronic letters usually contains a Microsoft Word file containing a macro that will download the malware. Once executed, your computer becomes infected with .osiris virus. You can see two examples of payload downloaders for the newest version of the ransomware on the VirusTotal website:

stf-locky-ransomware-virus-osiris-extension-virustotal-detections
stf-locky-ransomware-virus-osiris-extension-virustotal-detections-2

.osiris virus can also be spread around social media sites such as Facebook. Refrain from interacting with any suspicious and unknown links, attachments and files as a general rule of thumb. Before opening a file, always perform a check with a security tool. You should read the ransomware preventing tips in our forum to learn how you can prevent these types of threats to infect your computer.

.osiris Virus – Technical Analysis

Malware researchers have reported .osiris virus to infect computers with a different version and to encrypt files with a new extension – .osiris. It seems that the Norse mythology theme has been converted to the Egyptian one. Some of the sites that download the payload file can be seen below:

List with some of the payload download sites

Do not open any of these links, as they contain a malware downloader. This is posted for informing about download URLs of the malware.

You can also see some of the C2 (Command and Control) servers right here:

  • POST http://91.142.90.61/checkupdate
  • POST http://185.82.217.28/checkupdate
  • POST http://195.19.192.99/checkupdate

When the payload is executed, your files will become encrypted, and a ransom note will be displayed on your desktop background. The note with the payment instructions will also be saved as a file named OSIRIS-([a-z0-9])\.htm, where the brackets contain symbols with randomized numbers and letters.

The ransom note with instructions is set as your desktop background, and it is almost the same as past iterations. You can see how it looks like if loaded as an .html file.

stf-locky-ransomware-virus-osiris-extension-ransom-message-note

The text reads the following:

!!! IMPORTANT INFORMATION !!!

All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
https://en.wikipedia.org/wiki/RSA_(cryptosystem)
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
Decrypting of your files is only possible with the private key and decrypt program, All which is on our secret server.
To receive your private key follow one of the links:

If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: g46mbrrzpfszonuk.onion/[Redacted] 4. Follow the instructions on the site.
!!! Your personal identification ID: [Redacted] !!!

The .osiris virus will provide a link to a network domain hidden within the TOR browser service. The domain looks exactly like the one of its predecessors as you can see right here:

stf-locky-ransomware-virus-osiris-file-extension-locky-decryptor-page-payment-instructions

Some of the previous victims of Locky ransomware have reported that paying the ransom designated by the cybercriminals did not recover their files. Thus, you should not attempt contacting these crooks or paying them any money. Until this moment we only can conclude that the malware creators will continue developing new versions of the ransomware and extort people by encrypting their files.

For the moment, a list with the file types which become encrypted is not available. Files with the following extensions may get encrypted:

→.txt, .pdf, .html, .rtf, .avi, .mov, .mp3, .mp4, .dwg, .psd, .svg, .indd, .cpp, .pas, .php, .java, .jpg, .jpeg, .bmp, .tiff, .png, .doc, .docx, .xls, .xlsx, .ppt, .pptx

Encrypted files will have the .osiris extension appended to them, but also their names will be changed with randomized symbols of letters and numbers, just like the ransom note. The encryption algorithm that is still claimed to be used by Locky is RSA-2048 with AES 128-bit ciphers.

.osiris virus is very likely to delete the Shadow Volume Copies on the Windows operating system with the following command:

→vssadmin.exe delete shadows /all /Quiet

Continue to read and see how to remove this ransomware and and also – what methods you can try to decrypt some of your data.

Remove .osiris Virus and Restore .osiris Files

If your computer got infected with the .osiris virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by .osiris virus.

Manually delete .osiris Virus from your computer

Note! Substantial notification about the .osiris Virus threat: Manual removal of .osiris Virus requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove .osiris Virus files and objects
2.Find malicious files created by .osiris Virus on your PC

Automatically remove .osiris Virus by downloading an advanced anti-malware program

1. Remove .osiris Virus with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by .osiris Virus
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.