New Locky .OSIRIS Ransomware Infections (Update April 2017) - How to, Technology and PC Security Forum | SensorsTechForum.com

New Locky .OSIRIS Ransomware Infections (Update April 2017)

This article informs on Locky .OSIRIS ransomware and will show you how to remove .OSIRIS Locky virus and restore encrypted files.

A rise in the infection rate of the Locky .OSIRIS ransomware virus has been reported by security researchers. The virus has begun to spread with the same massive spam e-mail campaigns that have documents with malicious macros within them. If the ones spreading Locky .OSIRIS ransomware are back on track, then infections are expected to rise even more.

The Infection Method of Locky Ransomware

For the infection, this new spam wave of Locky uses pre-set list of e-mail addresses which are not flagged as spam. These sender addresses send a receipt in the form of an Adobe .PDF file, that has a name similar to “P23123.pdf”. The topic of the e-mail uses the word “Reciept” in it, making it seem that it has been sent as a form of some payment that the user has not made. In addition to this, convincing statements may be made in the e-mail’s body to further get the user to open the infection file.

Whatever the case may be, once this .PDF document is opened, it contains a document with the .docm file extension inside, which can be opened via Microsoft Word. This document can only be opened via opening the .PDF file. As soon as the word file is opened, it displays a fake text, with the following content:

This Document is protected!
1 Open the document in Microsoft Office. Previewing offline is not available for protected documents.
2 If this document was downloaded from your email, please click “Enable editing” from the yellow bar above.
3 Once you have enable editing please click on “Enable content” on the yellow bar above.

As soon as the user clicks on the “Enable content” button, infection with .OSIRIS Locky becomes inevitable.

Similar to other Locky variants, the virus’s first action is to delete the shadow volume copies from the computer which is infected, by executing the vssadmin command:

→ vssadmin delete shadows /all /quiet

For connection this Locky .OSIRIS iteration uses the hosts 188.120.239.230 and 80.85.158.212 to which it connects and sends information.

How to Remove Locky and Recover .OSIRIS Files

The bad news is that at this point, there is no current method of decrypting files that have been encrypted by the Locky ransomware infection, since the encryption used by .OSIRIS is very strong.However, there are several methods which you can try to get back a at least a portion of the files encoded with the .OSIRIS extension added to them. For more information on how to remove Locky .OSIRIS and protect your computer in the future, please see the removal instructions below. For alternative data recovery method, see step “2. Restore files encrypted by Locky .OSIRIS”.

Manually delete Locky .OSIRIS from your computer

Note! Substantial notification about the Locky .OSIRIS threat: Manual removal of Locky .OSIRIS requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Locky .OSIRIS files and objects
2.Find malicious files created by Locky .OSIRIS on your PC

Automatically remove Locky .OSIRIS by downloading an advanced anti-malware program

1. Remove Locky .OSIRIS with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Locky .OSIRIS
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...