Osiris : A New Variant of Locky Ransomware Distributed via Excel


Osiris ransomware is a newly identified variant of Locky Ransomware which aggressively ready to hit the Windows PC. The ransomware developers moved away from the Norse gods into Egyptian mythology by using .osiris file extension. This file extension used only a couple of weeks after the use of .aesir file extension. It has switched between the numerous extension since its initial appearance has occurred in February when it was used the .locky file extension to encrypt the files. Some other variants that spotted are Odin, Thor, and Zepto.

The interesting thing about this new Locky ransomware is that it uses the malicious Excel documents for the distribution. It attached itself to the spam emails which pretends to be invoiced, these documents are usually hidden inside the Zip archives which contain macros. When you opens the Excel spreadsheet, a blank sheet named Лист1 will be displayed and promoted to enable the macros to view the content. The name of sheet appears in Ukrainian which means Sheet1.

When the user enables macros, a VBA macro will fire that downloads and executes a DLL file by using Rundll32.exe. The downloaded file is usually saved in the %Temp%folder which does not show the DLL extension because it has been renamed. If you really do not want to become a victim of such a ransomware variant then you should not open any attachments that sent from the unknown senders.

Once it installed on your PC successfully, it behaves the same as another variant of Locky ransomware. It would search the network shares and local drives to encrypt your stored files. It appends .osiris file extension at the end of a file to encrypt them. On the completion of the encryption process, it drops a ransom note which described actually what happened to your files. It also asks the user to pay the ransom note in order to get a unique decryption tool. But you have to think twice before paying off the ransom amount. There is no any guarantee provided by expert that you will get the decryption key even paying off ransom money.

Unfortunately, there is no possibility to decrypt the encrypted .osiris files by the Locky ransomware even paying the ransom fee. You can recover your encrypted files via backup or Shadow Volume Copies. Though, the variant of Locky ransomware does attempt to remove the copies of Shadow Volume rarely. If you do not have a backup then, it is always suggested by an expert to restore your files by using the Shadow Volume Copies.

Posted in Latest News. Tagged with , .

Leave a Reply

Your email address will not be published. Required fields are marked *