Remove OSIRIS ransomware and decrypt .osiris extension files


A brand-new iteration of the deleterious Locky ransomware is out. Expert reports about the update started to appear on December 5, which is almost a fortnight after the ZZZZZ precursor surfaced. The latest tweak means that the files affected by Locky will now have the .osiris extension appended to them, hence the generic name of the new heir to the throne that never stays vacant. It’s worth mentioning that the crooks in charge now opt for the Egyptian mythology-based version naming principle, the term “Osiris” standing for the god of death and afterlife. So, what other features – aside from the extension – make the current edition unique? It’s also different in terms of the ransom notes, which are called DesktopOSIRIS.htm and DesktopOSIRIS.bmp. These two will emerge on the desktop of a contaminated machine. The perpetrating app also has the OSIRIS-[random_chars].htm edition of the decryption manual in store for individual folders with scrambled files.

Osiris ransomware compromise

The format of filename changing is preserved in its well-settled form that Locky victims and researchers have been familiar with for months. The ransomware still replaces the original values with 32 hex characters, so an arbitrary entry will assume a look similar to this: B6CEF2B2-3F94-24I8-2D71-B675D3N44C41.osiris. The threat actors thus make it unfeasible to work out what file this was prior to being scrambled. The data at risk includes documents, images, videos, databases and numerous other types of important files located on the hard disk, network shares and removable drives such as thumb memory sticks or external HDDs. The scan for personal information is a barely conspicuous process, so a victim is unlikely to notice it unless they remark an increase in CPU usage.

Misleading spam mailout notification with Osiris payload attached

Although the Osiris build of the Locky plague is a sophisticated infection, it proliferates over old-school methodology. Its distribution is all about spam. The criminals are in cahoots with botnet operators so that the ransomware payload can be delivered to thousands of end users via spoof emails. The subjects of these messages impose a sense of urgency. Some examples include failed delivery notifications, order details, receipts, subscription cancellation, invoices and attractive job offers. In a recent phishing campaign, the attackers claim on behalf of one’s ISP that the recipient’s email account is involved in disseminating spam. To learn more, the user may end up opening a JS or VBS file with supposed spam mailout logs and thereby unknowingly activate the infection chain.

Facebook spam with malicious SVG file

Another highly intricate hoax currently in rotation has to do with an SVG file, which denotes an XML-based image format. This booby-trapped photo is sent to would-be victims via Facebook’s instant messenger. Once a user opens it, they catch a piece of malware called Nemucod. This Trojan, in its turn, will download the Osiris ransomware in a furtive fashion. All in all, although it may seem counterintuitive, the complex crypto hoax in question spreads by means of social engineering rather than some cool hacking tricks.

The OSIRIS[random-chars].htm and DesktopOSIRIS.html/.bmp ransom notes tell the victim to download and install Tor Browser, and then type their unique .onion URL in the address field. Doing so will bring up the Locky Decryptor page, which contains a final walkthrough for file decryption. In particular, the user is supposed to purchase 0.5 Bitcoins (or a different amount specified on that page), send the cryptocurrency to the bad guys’ Bitcoin address, wait for payment verification and then download the automatic decryption tool. Essentially, the infected people are bound to buy ad hoc software that has the private decryption key built in. However, law enforcement agencies and analysts recommend ransomware victims to refrain from paying up unless the locked data is absolutely vital. Instead, it’s worthwhile to try and restore the .osiris files through a few alternative methods.

Osiris virus removal

As counterintuitive as it is, removal of this particular threat is not too complicated unlike the cleanup scenarios for screen lockers, which represent another group of ransomware infections on the loose. The main challenge in regards to Osiris is getting personal files back without having to do what the extortionists want. Basically, this means you can get rid of the malady using efficient security software without much of a hindrance, but options for recovering the encrypted data are a matter of a separate discussion, which we will touch upon in this guide as well.

Let’s now outline a rather easy and perfectly effective way of ransomware removal from a contaminated computer. Please follow the directions below step by step:

Now you’ve got both some good and bad news. On the one hand, Osiris is gone from your computer and won’t do any further damage. On the other, your files are still encrypted, since elimination of the malware proper does not undo its previous misdemeanors. In the next section of this guide we will highlight methods that may help you restore your data.

  1. Download and install HitmanPro.Alert
  2. Supports: Windows XP, Vista, 7, 8, 8.1, 10
  3. Open the program, click on the Scan computer button and wait for the scan to be completed
  4. When HitmanPro.Alert comes up with the scan report, make sure the Delete option is selected next to the ransomware entry and other threats on the list, and get the infections eliminated by clicking on the Next button

Now you’ve got both some good and bad news. On the one hand, Osiris is gone from your computer and won’t do any further damage. On the other, your files are still encrypted, since elimination of the malware proper does not undo its previous misdemeanors. In the next section of this guide we will highlight methods that may help you restore your data.

Restore encrypted files using Shadow Copies

As it has been mentioned above, despite successful removal of Osiris the compromised files remain encrypted with the AES algorithm. While it does not appear possible to obtain the key for decryption in this case even with brute-forcing, you can try to restore previous versions of these files either using the native Windows functionality or the application called Shadow Explorer. Please note that this method is only applicable in case you have System Restore enabled on your PC, and the versions of the files that you can recover this way may not be the most recent. It’s definitely worth a try, though.

Getting your files back using Previous Versions functionality


Windows provides a feature where you can right-click on an arbitrary file, select Properties and choose the tab called Previous Versions. Having done that for a particular file, you will view all versions of it that were previously backed up and stored by the so-called Volume Shadow Copy Service (VSS). The tab also provides the history of these backups by date.
In order to restore the needed version of the file, click on the Copy button and then select the location to which this file is to be restored. In case you would like to replace the existing file with its restored version, click the Restore button instead. Conveniently enough, you can have whole folders restored the same way.

Restoring encrypted data with Shadow Explorer utility


Besides the built-in Windows functionality highlighted above, you can use an application that will restore previous version of entire folders for you. It’s called ShadowExplorer. Once you download and launch this program, it will display all of your drives as well as a list of dates when Shadow Copies were generated. Simply pick the desired drive and date for restoration, as shown on the following screenshot:
Right-click on the directory you wish to restore and choose Export in the context menu. This will be followed by a request to indicate where you would like to restore the information to.

Use automatic recovery software

It might sound surprising, but Osiris does not encrypt one’s actual files. It deletes them. What does get encrypted is the copies. This brings us to the point where a specific type of software can be used for dragging the original data out of memory, where it ended up after the erasure. Efficient recovery tools can work wonders in these ransomware scenarios.

Download and install Recuva by Piriform to give this restoration vector a shot. By running a computer scan with Recuva, you will get a list of all recoverable files and be able to reinstate them to their original location or another place of choice.

Bottom line

Osiris poses a critical risk to one’s personal information therefore the focus security-wise should be made on prevention. In this context, some basic precautions can do the trick: refrain from opening email attachments from unknown senders and schedule regular antivirus software updates. Furthermore, performing data backups is a remarkable habit that will help evade the adverse after


Please enter your comment!
Please enter your name here