.osiris Extension Virus – Remove Locky Ransomware

.osiris Extension Virus – Remove Locky Ransomware


Attention! This article will help you remove .osiris file extension virus (Locky ransomware) successfully. Follow the ransomware removal instructions below carefully.

Locky ransomware has hit computers once more. This time, your files will become encrypted with the extension .osiris and the name of the encrypted files will also get changed. The malware creators seem to have changed their Norse mythology theme with the Egyptian one. Furthermore, there are changes to the code of the cryptovirus in attempt to avoid detection. A new spam campaign is distributing the malware with blank emails or such with only one line in them. They have files attached with unusual extensions like .342, .343, .552 or with .xls, .tdb, .zk and some emails have one sentence urging users to open the attachment. To see if you can try to restore some of your files read till the end.

Threat Summary

Name.osiris Virus
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts your data and then displays a ransom message with instructions for payment.
SymptomsEncrypted files will have the .osiris extension appended to them.
Distribution MethodSpam Emails, Email Attachments (.xls, .tdb, .zk, .342, .343, .552)
Detection Tool See If Your System Has Been Affected by .osiris Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .osiris Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.osiris Virus – Infection Spread

.osiris virus – the latest iteration of the Locky ransomware has been spread by a new malware spam campaign and two main types of emails. The malware creators are spreading their virus with a completely blank email or with one, which is urging users to see an attached file. Both types of emails are using an attachment with random numbers as its name with these extensions – .xls, .tdb, .zk, .342, .343, .552.

The body of the second type of email can be seen down here:

From: “Marina” Marina.jeffeaux91@klachurch.org
Subject: Emailing: _0828817_36073220

Your message is ready to be sent with the following file or link


Attachment: _0828817_36073220.xls

The attachment in most such electronic letters usually contains a Microsoft Word file containing a macro that will download the malware. Once executed, your computer becomes infected with .osiris virus. You can see two examples of payload downloaders for the newest version of the ransomware on the VirusTotal website:


.osiris virus can also be spread around social media sites such as Facebook. Refrain from interacting with any suspicious and unknown links, attachments and files as a general rule of thumb. Before opening a file, always perform a check with a security tool. You should read the ransomware preventing tips in our forum to learn how you can prevent these types of threats to infect your computer.

.osiris Virus – Technical Analysis

Malware researchers have reported .osiris virus to infect computers with a different version and to encrypt files with a new extension – .osiris. It seems that the Norse mythology theme has been converted to the Egyptian one. Some of the sites that download the payload file can be seen below:

List with some of the payload download sites


Do not open any of these links, as they contain a malware downloader. This is posted for informing about download URLs of the malware.

You can also see some of the C2 (Command and Control) servers right here:

  • POST
  • POST
  • POST

When the payload is executed, your files will become encrypted, and a ransom note will be displayed on your desktop background. The note with the payment instructions will also be saved as a file named OSIRIS-([a-z0-9])\.htm, where the brackets contain symbols with randomized numbers and letters.

The ransom note with instructions is set as your desktop background, and it is almost the same as past iterations. You can see how it looks like if loaded as an .html file.


The text reads the following:


All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
Decrypting of your files is only possible with the private key and decrypt program, All which is on our secret server.
To receive your private key follow one of the links:

If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: g46mbrrzpfszonuk.onion/[Redacted] 4. Follow the instructions on the site.
!!! Your personal identification ID: [Redacted] !!!

The .osiris virus will provide a link to a network domain hidden within the TOR browser service. The domain looks exactly like the one of its predecessors as you can see right here:


Some of the previous victims of Locky ransomware have reported that paying the ransom designated by the cybercriminals did not recover their files. Thus, you should not attempt contacting these crooks or paying them any money. Until this moment we only can conclude that the malware creators will continue developing new versions of the ransomware and extort people by encrypting their files.

For the moment, a list with the file types which become encrypted is not available. Files with the following extensions may get encrypted:

→.txt, .pdf, .html, .rtf, .avi, .mov, .mp3, .mp4, .dwg, .psd, .svg, .indd, .cpp, .pas, .php, .java, .jpg, .jpeg, .bmp, .tiff, .png, .doc, .docx, .xls, .xlsx, .ppt, .pptx

Encrypted files will have the .osiris extension appended to them, but also their names will be changed with randomized symbols of letters and numbers, just like the ransom note. The encryption algorithm that is still claimed to be used by Locky is RSA-2048 with AES 128-bit ciphers.

.osiris virus is very likely to delete the Shadow Volume Copies on the Windows operating system with the following command:

→vssadmin.exe delete shadows /all /Quiet

Continue to read and see how to remove this ransomware and and also – what methods you can try to decrypt some of your data.

Remove .osiris Virus and Restore .osiris Files

If your computer got infected with the .osiris virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by .osiris virus.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share