Severity scale:  
  (99/100)

Osiris ransomware virus. How to remove? (Uninstall guide)

removal by Olivia Morelli - - | Type: Ransomware
12

Osiris ransomware is a dangerous malware hailing from Locky family

Osiris virus is a ransomware virus which operates as a new version of notorious Locky ransomware. It seems that the authors of Locky virus have been especially interested in ancient mythology since they have been naming every virus version after a certain Norse god, for instance, Odin, Thor, or Aesir.[1]

The first outbreak of Osiris virus was observed on December 5, 2016. The new version of this ransomware appears to be significantly improved and had been bypassing detection of many antivirus programs (currently, the detection ratio is 31/56).

The virus acts like a traditional ransomware – Osiris invades the system using spam technique or by exploiting detected system vulnerabilities. Once it gets into victim’s computer, it starts snooping the entire system for a list of target file types. Each file that meets the list of the targeted file extensions gets strongly encrypted using RSA-2048 and AES-128 encryption ciphers.

As a result, Each file then gets .osiris file extension, and loses the original file name because the ransomware replaces it with a set of symbols [8 symbols] – [4 symbols] – [4 symbols] – [8 random symbols] – [12 random symbols]. The first 16 symbols represent victim’s ID. If you can see such changes in your file names, make sure you run Reimage to double check your computer and, in case it detects this ransomware, remove Osiris ransomware from it.

Once the encryption procedure is finished, virus adds a ransom note OSIRIS-9b28.html to every folder including the desktop. The ransom note contains Wikipedia links to articles about RSA-2048 and AES-128 encryption ciphers to help the victim understand what the virus has done to the personal data. The note explains that the decryption is possible only with a special decryption key which is known only to authors of this virus. To buy it, the victim has to install Tor browser and visit a unique payment website (each victim gets its own one).

Finally, Osiris ransomware changes the desktop picture with the traditional Locky wallpaper (black background with a text written in red). Ransomware, just like the previous versions of Locky suggests buying Locky Decryptor[2], which sells for 0.5-4 Bitcoins. BTC is a virtual currency that almost all ransomware virus demands. Paying in Bitcoins helps criminals stay anonymous. The victim is asked to buy Bitcoins online and then transfer them to provided Bitcoin wallet.

All victims are advised to take care of Osiris ransomware removal as soon as it scrambles their files. The computer needs to be cleaned professionally because the latest versions of Locky are delivering additional malware to systems and also enrolling infected computers into botnets. Please do not try to remove Osiris manually as you can do more harm than good to your PC.

Why should you NEVER pay the ransom fee

If your records have been compromised by the latest Locky ransomware variant, you might start thinking whether to pay the ransom or not. We understand that personal files are extremely important and that no one wishes to lose them in a half an hour or less.

However, organizations like hospitals or governments cannot allow themselves lose all data because they just cannot function without it, so there are lots of cases when certain institutions paid an enormous ransom to decrypt encrypted data (for example, the Hollywood Presbyterian Medical Center paid $17,000[3]). 

There were some cases when victims paid the ransom but never received an answer from perpetrators. Therefore, we suggest you make Osiris removal a top-priority task. If you are a home user, you can restore some of your files from data storage devices like USB or CD, or even better – from a hard disk that you’ve kept your backup in. Sadly, without a backup, data recovery is impossible.

We strongly recommend all victims to read FBI’s announcement[4] about ransomware viruses to learn how to protect their files from data-encrypting malware.

The distribution methods used by ransomware developers

Recent news shows that current Locky versions are currently distributed via obfuscated emails that have Photo/Scan/Document from office” line in the Subject line. Such emails contain a malicious attachment (.zip file), which, once extracted, drops .vbs file on the system.

If the victim lets the curiosity win and opens this file, one simply activates the destructive ransomware payload. The .vbs file rapidly connects to online servers and without user’s permission downloads Locky to the system. The virus activates itself without displaying any setups or notifications and encrypts all records in minutes.

Besides, a new distribution technique was spotted recently. It appears that currently, Locky spreads via Facebook messages in the form of a photo_9166.svg file[5]. Similarly to the previous versions, Osiris file extension virus also asks you to enable macro settings. 

Besides, a new distribution technique was spotted recently. It appears that currently, Locky spreads via Facebook messages in the form of a photo_9166.svg file. Similarly to the previous versions, Osiris file extension virus also asks you to enable macro settings. Later on, the payload is delivered via Rundll32.exe file. Then, a DLL installer will be downloaded and placed in %Temp% folder. You might notice these files as they bear .spe extension. In addition, beware of the spam email named “New(910).” 

From: Savannah [Savannah807@victimdomain.tld]
Reply-To: Savannah [Savannah807@victimdomain.tld]
Date: 12 December 2016 at 09:50
Subject: New(910)

Scanned by CamScanner

Sent from Yahoo Mail on Android

Beware of the scams which claim of “unsuccessfully delivered emails.” There has been a tendency to inject malware in such messages[6]. However, Osiris is also delivered in more sophisticated ways, for example, with the help of exploit kits and Trojans.

Reportedly, Osiris ransomware can be delivered with the help of Pony Trojan, Nemucod, and other malicious software. To learn more about Locky dissemination peculiarities, navigate to this page: Locky virus: modus operandi, distribution, and removal methods.

How can I remove Osiris virus?

Osiris virus must be eliminated properly because it is a seriously dangerous crypto-malware which belongs to Locky's family. It can damage your files or remove them from your computer without leaving you a chance to recover them. Once it infiltrates the system, ransomware compromises it and can use additional tools to carry out illegal activities on it. Therefore, to delete it and avoid problems related to this procedure, we suggest you using reliable security software.

To start Osiris removal, you may need to restart your PC as instructed below because sometimes this virus tends to block its victims. Lastly, keep in mind that your personal cautiousness is significant while trying to prevent ransomware viruses[7], even if security specialists initiate constant automatic updates of your software and the operating system in general to lower the risk of ransomware.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Osiris ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Osiris ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.

Manual Osiris virus Removal Guide:

Remove Osiris using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

You can try using Safe Mode with Networking if you can't launch a remover for Osiris virus. For that, you can follow these steps:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Osiris

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Osiris removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Osiris using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

Use System Restore method if Safe Mode with Networking does not help you overcome problems related to Osiris removal. In this case, you should follow a guide given below and try System Restore method:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Osiris. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Osiris removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Osiris from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

Files encrypted by .osiris file extension ransomware are practically useless unless you have a data backup or if you are willing to buy the decryption tool from criminals (which we do not recommend doing). Although currently files cannot be decrypted with no known decryption tools, you can still try these data recovery methods:

If your files are encrypted by Osiris, you can use several methods to restore them:

Data Recovery Pro to rescue some files

Data Recovery Pro might not help to recover all files, but it might restore some. 

Search for Windows Previous Versions

If you have enabled System Restore a while ago, take advantage of it now. Follow these steps to restore some individual files:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Do NOT fall for buying Locky Decrypter which belongs to hackers

You may be tricked into thinking that Locky Decrypter is a tool that you need to recover your files after infiltration of Osiris. Please, do NOT pay for it because you will be left with no money and no files. Use options provided above.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Osiris and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References

Removal guides in other languages


  • Tafeaz

    another locky variant… insane…

  • Lydia

    Oh, let me guess. The next variants probably gonna be titles Horus ransomware, Abydus ransomware and Isis ransomware?

  • Elaine_1980

    Stupid virus. I have a backup, but this virus wastes my time. How annoying is that…

  • ou tai

    cant decrypt – does anybody know how to do it?

  • Osher

    FK osiris grrrrrrrrrrr