Osiris ransomware: decrypting .osiris extension files

This article contains the entirety of facts about the Osiris variant of Locky ransomware and provides a number of methods to restore encrypted .osiris files.

Most ransom Trojans come and go, but only few stick around for months or even years. The ransomware called Locky falls into the latter category. Discovered in February this year, it has been on a steady upward curve in terms of distribution ever since. Moreover, its makers appear to be constantly busy prepping new updates of their malady. In a recent move, the threat actors released an edition that the InfoSec community dubbed the Osiris ransomware. This one arrives with spam, encrypts data with RSA-2048 and AES-128 cryptographic algorithms, and concatenates the .osiris extension to all mutilated files. The malicious code also cripples filenames so that the victim can no longer work out which document, image, video, or database a certain .osiris entry corresponds to.

Files with the .osiris extension and HTM ransom note

The attack is only complete as long as the felons’ demands are stated clearly. To this end, the infection creates ransom notes called OSIRIS-[random_4_chars].htm and DesktopOSIRIS.htm. These files are accessible with the victim’s default web browser. According to these decryption walkthroughs, the user is supposed to install Tor Browser and enter a unique personal URL in it to visit Locky Decryptor page. The rest of the recovery workflow involves a payment of the extorted ransom. The malefactors claim to provide the private decryption code and ad hoc tool in exchange for 0.5 Bitcoins. Of course, it’s up to every infected user whether they should pay or not, but this may turn out to be a futile undertaking. Just like real-world criminals, cybercrooks are untrustworthy a priori.

The ne’er-do-wells at the helm of the Osiris (Locky) ransomware campaign still engage a botnet to spew out rogue emails with the malicious payload in them. As technically complex as this crypto threat is, it reaches computers through commonplace social engineering. The spam emails may be disguised as invoices, ISP complaints, job offers and the like. The latest spam wave involves phishing emails titled “Amount Payable” that lures recipients into opening the attachment. A lot of these unsafe files are Microsoft Word and Excel documents, which tell users to enable VBA macros and thus execute the ransomware.

Due to its fairly good cryptographic practices, the Osiris file virus is not decryptable for free. Meanwhile, paying the ransom is not an option for the overwhelming majority of infected users. The section below highlights a viable trade-off between losing data and submitting digital cash to the attackers.

How to recover .osiris files without submitting the ransom

A brief disclaimer: the techniques described below do not actually decrypt the locked data. Instead, they provide viable workarounds for exploiting probable imperfections of the way that this virus implements the crypto and handles the victim’s files. Although it’s premature to assert whether or not these tips will do the trick in your situation, nothing more efficient has been invented to date. Without further ado, peruse the following methods to mitigate the harm from the ransomware compromise.

  • Use Volume Shadow Copy Service (VSS) to your advantage

    In case you didn’t know, Shadow Copies represent Microsoft Windows’ feature for file backup. The operating system makes point-in-time snapshots of files over the course of critical updates and the creation of System Restore points. Normally, the Zepto ransom Trojan disables VSS on early stages of the attack, but chances are it fails to.

    Nevertheless, it certainly won’t hurt to try this: for a start, download and install Shadow Explorer app. It is a free solution that displays the file hierarchy in a user-friendly way and automates the process of retrieving the previous versions of files and folders. You can easily export data by right-clicking the object of interest and selecting the corresponding option as shown on the picture below.

    Shadow Explorer

  • Try data recovery software

    These types of solutions were originally designed for forensic purposes as well as to restore the information that was obliterated accidentally or due to hardware failures. Their scope of use has expanded with the emergence of cryptographic infections like Osiris. Again, this isn’t a cure-all, but it may help under certain circumstances. So go ahead and download ParetoLogic’s Data Recovery Pro, have your computer scanned for recoverable data and follow the program’s directions to proceed with the file rescue activity.

    Data Recovery Pro

  • Use backups, they’re indispensable

    Nothing beats backups when ransomware attacks your computer. No matter if your files are backed up to an external piece of hardware or a cloud provider, everything can be downloaded back to the machine in a few clicks. Just make sure you have removed the ransomware before retrieving the data, otherwise the crypto routine will repeat.

Prevent ransomware attacks further on

In order to be a moving target for crypto malware like Osiris, it’s recommended to patch potentially vulnerable software (Adobe Flash Player, Java) on a regular basis, refrain from opening fishy email attachments, keep macros in Microsoft Office documents disabled, use a dependable antimalware suite, and of course maintain secure backups of the most valuable files.