Remove Osiris ransomware / virus - 2021 update

removal by Olivia Morelli - - | Type: Ransomware

Osiris virus Removal Guide

What is Osiris ransomware virus?

Osiris ransomware is a still active malware that comes from the notorious Locky family

Osiris virus is a ransomware that operates as a new version of the prevalent Locky ransomware. It seems that the authors of the virus have been especially interested in ancient mythology since they have been naming every ransomware version after a certain Norse god, for instance, Odin, Thor, or Aesir.[1]

The first outbreak of the Osiris virus was observed on December 5, 2016. The new version of this ransomware appears to be significantly improved and bypasses the detection of many antivirus programs (currently, the detection ratio is 31/56).

The virus acts like traditional ransomware – Osiris ransomware invades the system using spam technique or exploiting detected system vulnerabilities. Once it gets into the victim’s computer, it starts snooping the entire system for a list of target file types. Each file that meets the list of the targeted file extensions gets strongly encrypted using RSA-2048 and AES-128 encryption ciphers.

As a result, each file then gets .osiris file extension and loses the original file name because the ransomware replaces it with a set of symbols [8 symbols] – [4 symbols] – [4 symbols] – [8 random symbols] – [12 random symbols]. The first 16 symbols represent the victim’s ID. If you can see such changes in your file names, make sure you run ReimageIntego to double-check your computer and, in case it detects this ransomware, remove Osiris ransomware from it.

Osiris ransomware virusOsiris ransomware is one of the most important versions of an infamous Locky virus. It comes together with infected email attachments and encrypts victim's files right after that

Once the encryption procedure is finished, the virus adds a ransom note OSIRIS-9b28.html to every folder, including the desktop. The ransom note contains Wikipedia links to articles about RSA-2048 and AES-128 encryption ciphers to help the victim understand what the virus has done to the personal data. The note explains that the decryption is possible only with a special decryption key which is known only to authors of this virus. To buy it, the victim has to install a Tor browser and visit a unique payment website (each victim gets their own one).

Finally, Osiris ransomware changes the desktop picture with the traditional Locky wallpaper (black background with a red text). Ransomware, just like the previous versions of Locky, suggests buying Locky Decryptor[2], which sells for 0.5-4 Bitcoins. BTC is a virtual currency that almost all ransomware virus demands. Paying in Bitcoins helps criminals stay anonymous. The victim is asked to buy Bitcoins online and then transfer them to provided Bitcoin wallet.

All victims are advised to take care of the virus elimination as soon as it locks their files. The computer needs to be cleaned professionally because the latest versions of Locky are delivering additional malware to systems and also enrolling infected computers into botnets. Please do not try to remove Osiris ransomware manually, as you can do more harm than good to your PC.

Why should you NEVER pay the ransom fee

If your records have been compromised by the latest Locky ransomware variant, you might start thinking about whether to pay the ransom or not. We understand that personal files are extremely important and that no one wishes to lose them in half an hour or less.

However, organizations like hospitals or governments cannot allow themselves to lose all data because they just cannot function without it, so there are lots of cases when certain institutions paid an enormous ransom to decrypt encrypted data (for example, the Hollywood Presbyterian Medical Center paid $17,000[3]).

There were some cases when victims paid the ransom but never received an answer from perpetrators. Therefore, we suggest you make Osiris ransomware removal a top-priority task. If you are a home user, you can restore some of your files from data storage devices like USB or CD, or even better – from a hard disk that you’ve kept your backup in. Sadly, without a backup, data recovery is impossible.

We strongly recommend all victims read the FBI’s announcement[4] about ransomware viruses to learn how to protect their files from data-encrypting malware.

The distribution methods used by ransomware developers

Recent news shows that current Locky versions are currently distributed via obfuscated emails with the “Photo/Scan/Document from office” line in the Subject line. Such emails contain a malicious attachment (.zip file), which, once extracted, drops the .vbs file on the system.

If the victim lets the curiosity win and opens this file, one simply activates the destructive ransomware payload. The .vbs file rapidly connects to online servers and, without the user’s permission, downloads Locky to the system. The virus activates itself without displaying any setups or notifications and encrypts all records in minutes.

Besides, a new distribution technique was spotted recently. It appears that currently, Locky spreads via Facebook messages in the form of a photo_9166.svg file[5]. Similar to the previous versions, the Osiris file extension virus also asks you to enable macro settings.

Besides, a new distribution technique was spotted recently. It appears that currently, Locky spreads via Facebook messages in the form of a photo_9166.svg file. Similar to previous versions, the Osiris file extension virus also asks you to enable macro settings. Later on, the payload is delivered via the Rundll32.exe file. Then, a DLL installer will be downloaded and placed in the %Temp% folder. You might notice these files as they bear .spe extension. In addition, beware of the spam email named “New(910).”

From: Savannah [Savannah807@victimdomain.tld]
Reply-To: Savannah [Savannah807@victimdomain.tld]
Date: 12 December 2016 at 09:50
Subject: New(910)

Scanned by CamScanner

Sent from Yahoo Mail on Android

Beware of the scams which claim “unsuccessfully delivered emails.” There has been a tendency to inject malware in such messages[6]. However, Osiris is also delivered in more sophisticated ways, for example, with the help of exploit kits and Trojans.

Reportedly, Osiris ransomware can be delivered with the help of Pony Trojan, Nemucod, and other malicious software. To learn more about Locky dissemination peculiarities, navigate to this page: Locky virus: modus operandi, distribution, and removal methods.

Remove Osiris ransomware virus immediately

Osiris virus must be eliminated properly because it is a very dangerous crypto-malware that belongs to the Locky family. It can damage your files or remove them from your computer without leaving you a chance to recover them. Once it infiltrates the system, ransomware compromises it and can use additional tools to carry out illegal activities. Therefore, to delete it and avoid problems related to this procedure, we suggest using reliable security software.

To start Osiris removal, you may need to restart your PC as instructed below because sometimes this virus tends to block its victims. Lastly, keep in mind that your personal cautiousness is significant while trying to prevent ransomware viruses[7], even if security specialists initiate constant automatic updates of your software and the operating system in general to lower the risk of ransomware.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Osiris virus. Follow these steps

Manual removal using Safe Mode

You can try using Safe Mode with Networking if you can't launch a remover for Osiris virus. For that, you can follow these steps:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Osiris using System Restore

Use the System Restore method if Safe Mode with Networking does not help you overcome problems related to Osiris removal. In this case, you should follow a guide given below and try System Restore method:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Osiris. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with ReimageIntego and make sure that Osiris removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Osiris from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

Files encrypted by .osiris file extension ransomware are practically useless unless you have a data backup or if you are willing to buy the decryption tool from criminals (which we do not recommend doing). Although currently files cannot be decrypted with no known decryption tools, you can still try these data recovery methods:

If your files are encrypted by Osiris, you can use several methods to restore them:

Data Recovery Pro to rescue some files

Data Recovery Pro might not help to recover all files, but it might restore some. 

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Osiris ransomware;
  • Restore them.

Search for Windows Previous Versions

If you have enabled System Restore a while ago, take advantage of it now. Follow these steps to restore some individual files:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Do NOT fall for buying Locky Decrypter which belongs to hackers

You may be tricked into thinking that Locky Decrypter is a tool that you need to recover your files after infiltration of Osiris. Please, do NOT pay for it because you will be left with no money and no files. Use options provided above.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Osiris and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting Osiris ransomware virus

Stream videos without limitations, no matter where you are

There are multiple parties that could find out almost anything about you by checking your online activity. While this is highly unlikely, advertisers and tech companies are constantly tracking you online. The first step to privacy should be a secure browser that focuses on tracker reduction to a minimum.

Even if you employ a secure browser, you will not be able to access websites that are restricted due to local government laws or other reasons. In other words, you may not be able to stream Disney+ or US-based Netflix in some countries. To bypass these restrictions, you can employ a powerful Private Internet Access VPN, which provides dedicated servers for torrenting and streaming, not slowing you down in the process.

Data backups are important – recover your lost files

Ransomware is one of the biggest threats to personal data. Once it is executed on a machine, it launches a sophisticated encryption algorithm that locks all your files, although it does not destroy them. The most common misconception is that anti-malware software can return files to their previous states. This is not true, however, and data remains locked after the malicious payload is deleted.

While regular data backups are the only secure method to recover your files after a ransomware attack, tools such as Data Recovery Pro can also be effective and restore at least some of your lost data.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

Removal guides in other languages