Table of Contents
Although the authors of the new Osiris ransomware sell their decryptor to victims for Bitcoins, it may be possible to restore .osiris files in a different way.
What is OSIRIS ransomware?
The lineage of the Locky ransomware derivatives has been supplemented with another sample lately. The currently active objectification of this uncrackable strain uses the .osiris extension to brand all encrypted files, hence the name of the edition. The new extension, though, is not the only change visible to the naked eye. The Osiris variant also leaves a different set of ransom notes. As opposed to the previous iteration, the ransomware now leverages one format for the data recovery manual. It creates help files called OSIRIS-[4_chars].htm, where the variable string is composed of random hexadecimal characters. Yet another evident alteration is the pattern of jumbled filenames, which now consist of 5 groups of characters separated by double hyphens.
Just like before, the Osiris file virus embeds a graphical edition of the ransom note into the victim’s preferred desktop wallpaper. The scary effect from this activity is intended to make the infected user scrutinize the decryption steps even if they don’t open the HTM ransom notes. According to the walkthrough, the recovery presupposes that the user installs Tor Browser and visits their personal Locky Decryptor Page. The use of this particular browser, rather than a regular one, makes the traffic anonymous and therefore keeps the attackers from being tracked down.
When on the Locky Decryptor Page, the victim will see a bunch of links to Internet resources that provide Bitcoin exchange services. By purchasing 0.5 BTC and sending the cryptocurrency to the adversary’s Bitcoin address, the user will supposedly be able to get the automatic decryption tool that’s claimed to reinstate all the .osiris files on the plagued computer.
The Osiris ransomware is spreading via a social engineering hoax. The threat actors in charge have launched a massive spam campaign disseminating contagious Excel documents to thousands of people around the globe. The spreadsheet attached to these emails is disguised as an invoice. If a user chooses to open this .xls file, what they will see is a blank document that generates a security warning. This notification says that macros have been disabled and recommends the user to click the “Enable Content” button. By hitting this button, the victim unwittingly activates a macro that downloads a DLL installer of the Osiris infection.
Unfortunately, the cryptographic side of Osiris is immaculate. Therefore, there is no way to circumvent the RSA-2048 and AES-128 algorithmic hurdle unless the private RSA key is added to the mix. This decryption key resides offsite, so the attacker is the only one who has it. Nevertheless, it may be possible to get .osiris files back by means of alternative recovery mechanisms.
Automatic removal of the Osiris virus
When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the adware gets found and eradicated from the affected computer.
1. Download and install the cleaning tool and click the Start Computer Scan button Download OSIRIS removal tool
2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get OSIRIS automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.
Recover .osiris files ciphered by the ransomware
Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.Option 1: Backups
The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.Option 2: Recovery tools
The research of OSIRIS virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.
The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.
You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.
Previous Versions feature
Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory.
Shadow Explorer applet
It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed.
Did the problem go away? Check and see
Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.