Osiris ransomware: decryption and removal tips
Stay on top of the Locky ransomware campaign and its newest variant that uses the .osiris file extension and creates OSIRIS-[victim’s_ID].htm ransom notes.
The makers of the Locky ransomware appear to be constantly busy making code tweaks so that their perpetrating brainchild is a moving target for security analysts. The latest change turned out more drastic than the previous few updates. First off, the format of encrypted data entries underwent a significant modification. Filenames now consist of 36 hexadecimal characters, as opposed to the earlier editions where the quantity amounted to 32. The cybercrooks have, obviously, done this to throw some extra entropy into the equation. Also, the infection now uses double dashes to partition these strings of chars. Another major shift is that the new filenames are appended with the .osiris extension.
This update brought about modifications in the names of ransom notes as well. Files called -INSTRUCTION.html/bmp were taken over by OSIRIS-[victim’s 4-char ID].htm. The ransomware sprinkles these help manuals across encrypted folders and leaves a copy on the desktop, too. The BMP replica of the note is not created as a separate edition for a user to open, but it automatically occupies the greater part of one’s desktop background. The wording is the same: an infected user is told that their files were encrypted with RSA-2048 and AES-128 ciphers, with further instructions following the warning proper.
Other than these tweaks, the Osiris ransomware sticks with the modus operandi inherent to other iterations of Locky. It is still circulating via multiple spam waves. One of these campaigns is unique, though, because it capitalizes on the use of rogue Excel invoices. When a user receives one of these over email and opens the attached .xls file, he or she will be presented with a blank spreadsheet and a security warning. The popup states that macros have been disabled for this document and recommends the would-be victim to rectify this by clicking the “Enable Content” button. Once this happens, a piece of code in Visual Basic for Applications (VBA) will immediately download a malicious DLL item and run it. This will result in the Osiris ransomware trespassing behind the scenes.
The above-mentioned HTM ransom notes instruct the victim to visit a resource called the Locky Decryptor page using the Tor Browser. Then, they are supposed to use the Bitcoin address indicated there to submit 0.5 BTC ($390) for the private decryption key and automatic decryptor. Instead of opting for the ransom route, try the tips below.
Osiris ransomware removal
It’s usually quite easy to get rid of the offending program proper. Ransom Trojans are easy targets for antimalware suites once the data encryption part has been performed. This fact alone does not set aside the necessity of removing the infection, because it may cause further damage along with the likely escorting modules such as password stealers.
1. Download, install and run Osiris removal software. Click the Start New Scan button and wait until the suite does a thorough system checkup.Download .osiris file virus remover
2. When the scan results are readily available, go to Fix Threats and let the program do its cleaning job.
Workarounds to recover .osiris encrypted files
Unless security researchers or AV labs release a dependable decrypt tool, recovering the scrambled files is somewhat of a lottery. However, there are techniques that ransomware victims shouldn’t fail to try before considering the buyout suggested by the criminals. Be sure to peruse and implement the methods below.
First and foremost, download backup copies of your important data from an offsite storage unaffected by the ransomware. In case you hadn’t had a backup strategy before the breach occurred, proceed to the next step. Also, start maintaining secure backups of the most valuable information so that attacks like this one won’t cause that much damage in the future.
2. Shadow Copies
Osiris is coded to obliterate Shadow Copies of its victim’s files, which are data snapshots automatically made by the operating system. The ransomware has reportedly failed to complete this task in some cases, though. An important prerequisite of successful recovery is the ‘enabled’ status of the System Restore feature prior to the compromise. There are two ways to take advantage of this functionality built into Windows.
- Previous Versions Based on Restore Points
Select a random encrypted file, right-click on it and go to Properties. Now proceed to the Previous Versions tab. If the OS had been making snapshots of this file during system restore events, it will display the list of available file versions. Highlight the latest one and select Copy to recover it to a new path on the computer. Clicking the Restore button will reinstate the file to its original location.
The applet called ShadowExplorer is meant to automate data recovery based on VSS (Volume Snapshot Service). If that’s the workflow of your choice, download and install the tool. Run it, select the local drive name and the folder of interest, right-click on it, hit the Export option and follow further prompts to get the job done.
3. Forensic Tools
The algorithm of data scrambling employed by most ransomware involves the deletion of original files, while their encrypted copies are the objects of the ransom bargain. Now, erasing information off the hard drive is only irreversible when done with multiple overwrites. Otherwise, it may be possible to restore files using utilities like Data Recovery Pro. Simply run the app and see whether it can do the trick.
Look before you leap into secure computing
Now that you have hopefully recovered your files, make sure the Osiris ransomware will make no more trouble. Consider scanning the system for executables and leftover registry keys added by the infection. Double-checking is also a good idea because some of the newer variants of crypto malware are accompanied by other threats such as rootkits and identity theft programs. So run the scan again and see whether or not you are completely safe.