Severity scale  
  (99/100)

Osiris ransomware virus. How to Remove? (Uninstall Guide)

removal by - -   | Type: Ransomware
12

Locky reborn: Osiris ransomware makes its appearance

Osiris virus operates as a new version of notorious Locky file-encrypting malware, which is named after the Egyptian god. Locky virus’ authors manifest a great interest in ancient mythology since they name every virus’ version after a certain Norse god, for instance, Odin, Thor, or Aesir.[1] The first outbreak of Osiris file virus was observed on December 5, 2016. The new version of the virus appears to be significantly improved and currently is capable of bypassing detection of many antivirus programs (currently, the detection ratio is 8/56). The virus acts like a traditional ransomware - it invades the system using Trojan horse technique, silently sets itself up on the victim’s computer and then starts snooping the entire system for a list of target file types. Each file that meets virus’ target file extension list gets strongly encrypted using RSA-2048 and AES-128 encryption ciphers. Each file then gets .osiris file extension, and loses the original file name because the ransomware replaces it with a set of symbols [8 symbols] – [4 symbols] – [4 symbols] – [8 random symbols] – [12 random symbols]. The first 16 symbols represent victim’s ID.

After the encryption procedure, virus adds a ransom note OSIRIS-9b28.html to every folder including the desktop. The ransom note contains Wikipedia links to articles about RSA-2048 and AES-128 encryption ciphers to help the victim understand what the virus has done to the personal data. The note explains that decryption is possible only with a special decryption key, which only virus’ authors have. To buy it, the victim has to install Tor browser and visit a unique payment website (each victim gets its own one). Finally, Osiris malware changes the desktop picture with the traditional Locky wallpaper (black background with a text written in red). Osiris, just like the previous versions of Locky suggests buying Locky Decryptor [2], which sells for 0.5-4 Bitcoins. BTC is a virtual currency that almost all ransomware virus demands. Paying in Bitcoins helps criminals stay anonymous. The victim is asked to buy Bitcoins online and then transfer them to provided Bitcoin wallet. All victims are advised to remove Osiris file extension virus as soon as possible and scan the system using powerful anti-malware tools like Reimage or PlumbytesWebroot SecureAnywhere AntiVirus. The computer needs to be cleaned professionally because the latest versions of Locky are delivering additional malware to systems and also enrolling infected computers into botnets. Please do not try to remove Osiris manually as you can do more harm than good to your PC.
Osiris ransomware changes desktop picture

If your records have been compromised by the latest Locky ransomware variant, you might start thinking whether to pay the ransom or not. We understand that personal files are extremely important and that no one wishes to lose them in a half an hour or less. However, organizations like hospitals or governments cannot allow themselves lose all data because they just cannot function without it, so there are a number of cases when certain institutions paid an enormous ransom to decrypt encrypted data (for example, the Hollywood Presbyterian Medical Center paid $17,000[3]). However, there were some cases when victims paid the ransom but never received an answer from perpetrators. Therefore, we suggest you make Osiris removal a top-priority task. If you are a home user, you can restore some of your files from data storage devices like USB or CD, or even better – from a hard disk that you’ve kept your backup in. Sadly, without a backup, data recovery is impossible. We strongly recommend all victims to read FBI’s announcement [4] about ransomware viruses to learn how to protect their files from data-encrypting malware.

The distribution tendencies

Recent news shows that current Locky versions are currently distributed via obfuscated emails that have "Photo/Scan/Document from office" line in the Subject line. Such emails contain a malicious attachment (.zip file), which, once extracted, drops .vbs file on the system. If the victim lets the curiosity win and opens this file, one simply activates the destructive ransomware payload. The .vbs file rapidly connects to online servers and without user’s permission downloads Locky to the system. The virus activates itself without displaying any setups or notifications and encrypts all records in minutes. Besides, a new distribution technique was spotted recently. It appears that currently, Locky spreads via Facebook messages in the form of a photo_9166.svg file [5]. Similarly to the previous versions, Osiris file extension virus also asks you to enable macro settings. 

Besides, a new distribution technique was spotted recently. It appears that currently, Locky spreads via Facebook messages in the form of a photo_9166.svg file [5]. Similarly to the previous versions, Osiris file extension virus also asks you to enable macro settings. Later on, the payload is delivered via Rundll32.exe file. Then, a DLL installer will be downloaded and placed in %Temp% folder. You might notice these files as they bear .spe extension. In addition, beware of the spam email named "New(910)." 

From: Savannah [Savannah807@victimdomain.tld]
Reply-To: Savannah [Savannah807@victimdomain.tld]
Date: 12 December 2016 at 09:50
Subject: New(910)

Scanned by CamScanner


Sent from Yahoo Mail on Android

Beware of the scams which claim of "unsuccessfully delivered emails." There has been a tendency to inject malware in such messages [6]. However, Osiris is also delivered in more sophisticated ways, for example, with the help of exploit kits and Trojans. Reportedly, Osiris ransomware can be delivered with the help of Pony Trojan, Nemucod, and other malicious software. To learn more about Locky dissemination peculiarities, navigate to this page: Locky virus: modus operandi, distribution, and removal methods.

Eliminating Osiris ransomware – mission possible?

Osiris virus must be eliminated properly. This piece of malware belongs to one of the most dangerous crypto-ransomware families in the world, and it should not be underrated. It strongly compromises the computer system and can use additional tools to carry out illegal activities on the computer system. Therefore, to delete it, we suggest using the anti-malware tool. To start Osiris removal, restart your PC as instructed below. Lastly, keep in mind that even if security specialists initiate constant automatic updates of your software and the operating system in general to lower the risk of ransomware, your personal cautiousness is of significant importance as well [7].

It might be that we are affiliated with any of our recommended products. Full disclosure can be found in our Agreement of Use. By downloading any of provided Anti-spyware software you agree with our Privacy Policy and Agreement of Use.
Do it now!
Download
Reimage - remover Happiness
Guarantee
Compatible with Microsoft Windows
What to do if failed?
If you failed to remove infection using Reimage Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Osiris ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.
Reimage is recommended to uninstall Osiris ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.
Not using OS X? Download a remover for Windows.
Press Mentions on Reimage
Alternate Software
Alternate Software
Plumbytes
We are testing Plumbytes's efficiency (2016-12-14 01:15)
Malwarebytes Anti Malware
We are testing Malwarebytes Anti Malware's efficiency (2016-12-14 01:15)
Hitman Pro
Webroot SecureAnywhere AntiVirus

References

Method 1. Remove Osiris using Safe Mode with Networking

Step 1: Reboot your computer to Safe Mode with Networking
Windows 7 / Vista / XP
  • Click Start Shutdown Restart OK.
  • When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
  • Select Safe Mode with Networking from the list
Select 'Safe Mode with Networking'
Windows 10 / Windows 8
  • Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
  • Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
  • Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.
Select 'Enable Safe Mode with Networking'
Step 2: Remove Osiris

Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Osiris removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Reimage is a tool to detect malware. You need to purchase full version to remove infections.
More information about Reimage
Reimage is a tool to detect malware. You need to purchase full version to remove infections. More information about Reimage

Method 2. Remove Osiris using System Restore

Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
  • Click Start Shutdown Restart OK.
  • When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
  • Select Command Prompt from the list
Select 'Safe Mode with Command Prompt'
Windows 10 / Windows 8
  • Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
  • Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
  • Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Select 'Enable Safe Mode with Command Prompt'
Step 2: Restore your system files and settings
  • Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
  • Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
  • When a new window shows up, click Next and select your restore point that is prior the infiltration of Osiris. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
  • Now click Yes to start system restore. Click 'Yes' and start system restore
Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Osiris removal is performed successfully.
Reimage is a tool to detect malware. You need to purchase full version to remove infections.
More information about Reimage
Reimage is a tool to detect malware. You need to purchase full version to remove infections. More information about Reimage

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Osiris from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

Files encrypted by .osiris file extension ransomware are practically useless unless you have a data backup or if you are willing to buy the decryption tool from criminals (which we do not recommend doing). Although currently files cannot be decrypted with no known decryption tools, you can still try these data recovery methods:

If your files are encrypted by Osiris, you can use several methods to restore them:

Data Recovery Pro to rescue some files

Data Recovery Pro might not help to recover all files, but it might restore some. 

Search for Windows Previous Versions

If you have enabled System Restore a while ago, take advantage of it now. Follow these steps to restore some individual files:

  • Find an encrypted file you need to restore and right-click on it;
  • Select "Properties" and go to "Previous versions" tab;
  • Here, check each of available copies of the file in "Folder versions". You should select the version you want to recover and click "Restore".

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Osiris and other ransomwares, use a reputable anti-spyware, such as Reimage, PlumbytesWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

Olivia Morelli
Olivia Morelli - Malware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Removal guides in other languages


Information updated:

Comments on Osiris ransomware virus

0
0
Osher
FK osiris grrrrrrrrrrr
0
0
ou tai
cant decrypt - does anybody know how to do it?
0
0
Elaine_1980
Stupid virus. I have a backup, but this virus wastes my time. How annoying is that...
0
0
Lydia
Oh, let me guess. The next variants probably gonna be titles Horus ransomware, Abydus ransomware and Isis ransomware?
0
0
Tafeaz
another locky variant... insane...

Post a comment

Attention: Use this form only if you have additional information about a parasite, its removal instructions, additional resources or behavior. By clicking "post comment" button you agree not to post any copyrighted, unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, profane, hateful, racially, ethnically or otherwise objectionable material of any kind.

Home page Name



«

(All fields are required)