Locky ransomware goes Egyptian style with Osiris extension


People behind the famous ransomware named Locky have decided that it’s time to put a coat of fresh paint on their creation. So they’re stepping away from Norse mythology and go for the Egyptian one instead. Encrypted files now get the ‘.osiris’ extension appended to them. This new variation of familiar threat is getting distributed through spam emails that contain Excel attachment within them. It has macros that, if you execute it, downloads and installs Locky. Your data gets encrypted after it happens and there’s currently no way to decrypt it other than using a decryption key. In other words – it’s still as dangerous as it was before and the Egyptian theme shouldn’t distract you from what’s important – you losing access to your files.

Keep in mind that spam emails are disguised as invoices that try to make you think that you need to make a payment. Nothing can be further from the truth and you can be absolutely sure that you don’t have any debts that need to be paid. And even if you do, you’re notified about this from corporate emails, not from random ones.

Still, if you open the file that’s attached, you’re treated to an empty sheet and then you’re asked to enable macros. The sheet is called “Лист1” which means that this threat probably comes from Russia. If the macros are enabled, the VBA macro downloads a .dll file which is downloaded into the %Temp% folder and then executed by using Rundll32.exe. Those .dll files don’t have a usual .dll extension – they carry other names, for example .spe. The command that’s used for executing the Locky DLL is C:\Windows\System32\rundll32.exe” %Temp%\shtefans1.spe,plan.

After the installation is finished, the scan process begins. Files are then encrypted and renamed by using a following scheme – [first_8_chars_of_id]–[next_4_chars_of_id]–[next_4_chars_of_id]–[8_hexadecimal_chars]–[12_hexadecimal_chars].osiris. So the file which was called “Night.jpg” could, for example, be renamed to “11111111–1111–1111–FC8BB0BA–5FE9D9C2B69A.osiris”.

Once the encryption process is done, you’re given a ransom note which explains how to pay a ransom. Notes have names of DesktopOSIRIS.bmp, DesktopOSIRIS.htm and OSIRIS-[4_numbers].htm. We should point out that at the moment there seems to be a bug which leads to two ransom notes not getting their correct names. %UserpProfile%\DesktopOSIRIS.bmp and %UserProfile%\DesktopOSIRIS.htm should be saved to the Desktop as OSIRIS.bmp and OSIRIS.htm. However, the trailing backslash after Desktop is not added, so data is just stored in the %UserProfile%.

Osiris can also be distributed through malvertising. It may be waiting within banners, Pop-Up ads and other things like this and, if you click on those, your PC gets infected. You need to be very careful while browsing the Internet and refrain from clicking on anything that seems like it can be trouble – ignore your curiosity.

As we’ve mentioned above, there’s currently no way to decrypt affected files without using the decryption key. So, unless you want to try and pay $1880 ransom, which is not advised to do, you can only use your data again if you restore it from backup. There’s also a possibility of using Shadow Volume Copies but you need to have luck on your side for this to play out. Locky usually deletes Shadow Volume Copies but, sometimes, isn’t able to do so. So there’s a small glimmer of hope but don’t hold your breath for it. This is the situation where avoiding a problem is a lot better than dealing with it, so stay away from suspicious emails and everything should be fine with the computer.


Please enter your comment!
Please enter your name here