If the extensions of your files are suddenly changed to .osiris, it indicates that your computer has been infected with a batch of variants of the Locky Ransomware family – Osiris Ransomware, which as released in the final months of 2016. The files on your system encrypted by the ransomware become unusable and they can’t be opened as usual until you pay the ransom and decrypt them. What is Osiris Ransomware? How does it spread? How can you recover the encrypted files? Read on and you will find the answers.
Information about Osiris Ransomware
|Threat Name||OSiris Ransomware
|Type||Ransomware ; Malware|
|Operating System||Windows operating systems, Mac or Andriod|
|Previous Version||Odin Ransomware, Zepto Ransomware|
|Behavior||scramble and encrypt important files with .osiris extension, demand a ransom payment.|
|Distribution Method||Via spam emails which often pretends to be invoices|
|File decryption method||Impossible to recover files for free|
|Ransomware Removal||System restore or download Osiris Ransomware removal tool now!|
If you keep yourself informed of computer security news, you may hear Locky ransomware, a new strain of ransomware which scrambles and renames all your important files and asks you to buy the decryption key so as to restore the encrypted files. Both Odin Ransomware and Zepto Ransomware are ransomware that are developed based on Locky Ransomware. Compared to the original version, they become more complicated and difficult for the victims to decrypt the encrypted files. Unfortunately, Osiris Ransomware is now the latest extension of the Locky ransomware menace, which encrypts files using RSA and AES ciphers and appends them with the .osiris extension. The developers of the ransomware stop using Norse mythology and start to use Egyptian mythology instead.
Screenshot of the files encrypted by Osiris Ransomware:
From the screenshot we can find that the encrypted files are renamed and appended the .osiris extension. The ransomware scrambles your files and renames them into long strings of 36 hexadecimal characters. The format of the encrypted files includes random characters and digital numbers. For example, a file may be renamed to D7F6EEB0–D8FC–508E–E70C6E2–EB123A70566F.osiris. Due to this, it’s difficult and even impossible for the victims to figure out which file it was when they see a file encrypted by the ransomware. Typically, a file with the .htm extension or .bmp extension which shows ransom notes will be displayed among the encrypted files. The files that show how to pay the ransom and recover your files include DesktopOSIRIS.bmp, DesktopOSIRIS.htm, and OSIRIS-[4_numbers].htm.
For example, when you open an. OSIRIS-[4_numbers].htm you will find the default web browser starts and a page with the following texts will appear in front of you. The same ransom note also shows up in the desktop image:
‘!!! IMPORTANT INFORMATION !!!
All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about RSA and AES can be found here:
hxxp://en.wikipedia.org/wiki/Advanced Encryption Standard
Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
To receive your private key follow one of the links:
If all of this addresses are not available, follow these steps:
- Download and install Tor Browser: hxxp://www.torproject.org/download/download-easy.html
- After a successful installation, run the browser and wait for initialisation.
- Type in the address bar:
- Follow the instructions on the site.
!!! Your personal identification ID: [random numbers]!!!’
The ransom note tells you what happened to your files and how to decrypt them. Usually, it recommends you to buy a private key and decrypt program on their server by using the Tor Browser. Visit the given website and then follow the instructions on the site to receive the private key.
You will receive the following message in the text when you connect to the payment website:
‘Locky Decryptor™We present a special software – Locky Decryptor™ –
which allows to decrypt and return control to all your encrypted files.
How to buy Locky Decryptor™?
You can make a payment with BitCoins, there are many methods to get them.
You should register BitCoin wallet:
Simplest online wallet or Some other methods of creating wallet
Purchasing Bitcoins, although it’s not yet easy to buy bitcoins, it’s getting simpler every day.
Send 2.5 BTC to Bitcoin address: 1BkR8zL6jAn8zcF4t6FM85DYLFG1dZ12ip
Note: Payment pending up to 30 mins or more for transaction confirmation, please be patient…
Refresh the page and download decryptor.
When Bitcoin transactions will receive one confirmation, you will be redirected to the page for downloading the decryptor.’
Screenshot of the message in the Locky Decryptor Page of Tor Browser:
Note: If your computer is attacked by Osiris Ransomware but you don’t have a backup of the files, it’s impossible to decrypt the encrypted files for free now. But the methods below in this post show you how to remove the malware and may help you recover the files.
How does Osiris Ransomware arrive on your computer?
Like other variants of ransomware, Osiris Ransomware also spreads via spam emails. Please be cautious to emails sent by strangers, especially those associated with invoice. We’ve discovered that some users got attacked by this ransomware because they opened zip attachments with a name like Invoice_Inv[random_numbers].xls which are contained in emails with the titles like Invoice Inv[random_numbers.
If you are fooled by the fake emails and misled into downloading the Excel file, the ransomware can find the opportunity to run on your system. Once the Excel spreadsheet is opened, what you will see is a blank sheet namedЛист1, which is said to be a Russian localization of Excel. A security warning pops up telling you that Macros have been disabled and asking you to enable it. (As the screenshot below shown)
If you click on the Enable Content button, a VBA macro will executes and then download and install a DLL installer into the %Temp% folder. The DLL file downloaded and installed by the macro doesn’t look like other normal DLL files because it is renamed into .spe extension or other extensions rather than .dll. However, it still can be executed by using Rundll32.exe, a command line utility program that is responsible for running DLLs and placing its libraries in the memory. In this way, the Locky OSIRIS Variant is able to be installed on the computer. Once the installation is completed, the ransomware starts to scan the system and scramble your files in any directory on any mounted drive that it can access. If your removable drives are plugged in at the time, the files contained in them can’t avoid being encrypted. The network shares which are accessible will also be scrambled and compromised.
Osiris Ransomware removal guide
It’s not easy to find and delete all the files associated with the ransomware manually. To find and get rid of the malware completely, we suggest you download and install a professional anti-malware program to scan for the threats and clean up them automatically. The recommended software below is able to detect and remove the infection quickly and thoroughly with only a few clicks of the mouse.
- Download a remover for Osiris Ransomware.
- Once the tool is downloaded, run it and follow the instructions on the screen to complete the installation.
- The tool will run automatically once installed. Usually, it starts to scan your computer for malware. If not, click on Scan Computer Now button to start scanning your system for the infection.
- The threats related to the ransomware will be found and showed in the scan results. When the scanning is completed, click on Fix Threats button to delete the malicious files.
Alternatively, use System Restore to remove the ransomware manually:
System Restore is “a feature in Microsoft Windows that allows the user to revert their computer’s state (including system files, installed applications, Windows Registry, and system settings) to that of a previous point in time, which can be used to recover from system malfunctions or other problems.” If the System Restore function was enabled on your infected operating system before, this method may work.
Follow the guide below to perform a system restore in different Windows systems.
Press Windows key + X key or right click on the Start button in the lower left corner of the screen to open the quick link menu. Select the System item in the menu.
Click onSystem Protection tab on the left side as shown below.
Click on System Restore. (If the System Restore become greyed out, you will have to check if your current hard drive has System Protection turned on. By default it should be, but if you want to enable it on another drive simply select it and then click on configure…> select Turn on system protection. )
If this is your first time doing a System Restore, click on Next. If you had previously done a System Restore, select Choose a different restore point, and click on Next.
(Note: Make sure you have created some restore points otherwise you won’t be able to do a system restore if no restore points are available.)
Select a restore point that you would like to restore Windows back to, and click on theScan for affected programsbutton.
Review what will be affected by using the selected restore point. When finished, click on Close.
When you are ready to do a System Restore with a selected restore point, click on Next.
Click on Finish to begin the System Restore.
Click on Yes to confirm. This is your last chance to cancel the System Restore.
Your PC will now restart and perform a System Restore.
When the System Restore has completed successfully and you have signed back in to your desktop, click onClose.
Restart your computer and Osiris Ransomware will disappear. But please note that the files are still encrypted.
For Windows 8/8.1 users,
Hover your mouse over the lower left corner of the screen until the Start menu Right click on the Start menu and select Control Panel. (See screenshot below) If you use Windows 8.1, right click on the Start button and click on Control Panel.
In the Control Panel window, select “Recovery” under Type by: Large icons.
Select “Open system restore”.
The main screen for System Restore will be displayed. If you are prompted to continue, click on Next > button and a recent restore point and your last critical update will be showed there.
If you make sure that the most recent restore point is not the date your problem started, check the box next to Show more restore points in the lower left corner and you will see a list of available restore points.
Select the restore point that your computer issues started to occur and click Next button.
The screen will ask for your confirmation. Click on the Finish button if you are sure to continue.
When you are asked for confirmation again, click on Yes. System Restore will now reboot your computer and begin the restore process. This will take some time to complete the restore task and please be patient.
When the system restore task completes successfully, a confirmation box will be displayed on your desktop after system reboot. Then Osiris Ransomware is gone from your computer.
For Windows 7/Vista users
Click on Start button→ All Programs → Accessories → System Tools → System Restore….
When the System Restore window appears, you can directly click on Next button if you are sure that the date of the Recommend restore is the time the computer problem started.
If the computer issue occurred earlier than the time of the recommend restore, you can click Choose a different restore point option and click Next button to select the desired restore point.
Select a restore point you wish to restore and click Next button. If the desired restore point isn’t showed there, check Show more restore points and choose the restore point which caused the computer problem. And then click on Next button.
Confirm your restore point and click Finish button. Make your selections and click Next.
This will take some time to complete. When the system is restore to a time that was free of Osiris Ransomware, there will be no ransomware on your PC now.
For Windows XP users,
Click on Start button, click on Programs, click Accessories, click on System Tools and then open System Restore.
When the Welcome to System Restore page window appears, click on Restore my computer to an earlier time option (if it is not already selected), then click on Next button.
On the Select a Restore Point screen, locate to On this list, click a restore point list and select the most recent system checkpoint and then click Next button.
A System Restore message may appear that lists configuration changes that System Restore will make. Click OK.
Confirm your restore point and click Finish button. Make your selections and click Next.
System Restore restores the previous Windows XP configuration, and then restarts the computer.
Is it possible to recover your files encrypted by Osiris Ransomware?
So far, there is still no free decryptor tool to decrypt .Osiris files encrypted by the locky ransomware. But you can recover those encrypted files if you made a backup of the important files before. In addition, the encrypted files can also be restored through Shadow Volume Copies if you are lucky enough. Usually, File-encrypting ransomware will start to delete Shadow Volume Copies once installed. But sometimes the locky ransomware fails to remove them in a few cases due to various unknown reasons. Therefore, if your PC is attacked by this ransomware and you don’t have a backup of the files, try restoring encrypted files from Shadow Volume Copies since some shadow copies may luckily escape the deletion and still can be restored by ShadowExplorer.
Try using ShadowExplorer to restore them.
Here is there guide on how to restore the files with ShadowExplorer.
How to prevent Osiris Ransomware?
To avoid being attacked by such file-encrypting ransomware, here are several useful suggestions for you:
Don’t open attachments attached in unsolicited emails. The ransomware is mainly distributed via email attachments. It can pretend to be invoices and trick you into downloading the attachments that can download and install the locky ransomware. If you receive such emails, be cautious about the attachments contained in them and never open them if you don’t trust it.
Don’t enable macros because it may cause security issues. Microsoft macros can provide you helpful functions, however, it can also be potentially harmful and you should only enable macros from trusted sources. Keep in mind that you should never enable it via the attachment received in emails.
Back up your important files regularly. It’s a good habit to make a backup of your files on PC from time to time and keep a recent backup copy off-site. In this way, you can easily recover the files when your computer is infected with Osiris Ransomware. And this helps protect your data and saves your money if any wrong goes with your computer.
Keep the software and system updated. The outdated software, such as browsers and Flash player, may contain vulnerability that can be exploited by malware. To prevent the PC from being attacked by hackers and infected, it’s necessary to update the installed software to the latest versions.
Download and install an anti-malware program. Believe it or not, an advanced anti-malware program can help protect your computer from various cyber attacks. They can inform you of the potential harmful items detected when you visit malicious websites or download harmful content. This can help prevent the ransomware effectively.
If your computer is unfortunately infected with this new Locky Ransomware variant, follow the guide mentioned above to remove Osiris Ransomware completely. Then try using Shadow Explorer to restore the encrypted files. If you perform a system restore, right-click on a file you want to restore, select Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the “Restore” button after a system restore. This may also recover your encrypted files if Osiris Ransomware failed to disable the Volume Snapshot Service on the computer.