Osiris Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 9
First Seen: December 7, 2016
Last Seen: February 10, 2022
OS(es) Affected: Windows

The Osiris Ransomware belongs to a batch of variants of the Locky Ransomware family that have been released in the final months of 2016. The Osiris Ransomware identifies the files it encrypts through the use of the extension '.Osiris,' which come from the ancient Egyptian religion. This follows a pattern used in threats such as the '.thor' Ransomware, which also uses a mythological god in order to identify its threat. The Osiris Ransomware encrypts the victim's files to make them inaccessible and then demands the payment of a ransom. During its attack, the Osiris Ransomware will replace the files' names with random characters followed by the extension mentioned above. The Osiris Ransomware delivers a ransom note in the form of an HTML file, as well as changes the victim's desktop wallpaper image. The Osiris Ransomware attack is typical of these infections, essentially taking the victim's files hostage until the victim agrees to pay a large ransom of 2.5 BitCoin (approximately $2000 USD).

An Underworld God Resurrected to Cause Harm to Innocent Files

The Osiris Ransomware attack is quite simple and a typical variant in these attacks. Since the first appearance of the Locky Ransomware family, countless variants of the threat have often been observed appearing in batches or waves and connected by common characteristics in their ransom notes or attacks. This points to the possibility of the Locky Ransomware family being a part of a RaaS (Ransomware as a Service) campaign, where con artists lease out their ransomware threats to other con artists to create attacks without having to go through the development process of creating a ransomware Trojan. Like other ransomware Trojans active today, the Osiris Ransomware encrypts the victim's files using a strong encryption algorithm, then demands that the victim pays a large ransom in exchange for the decryption key.

Understanding How the Osiris Ransomware may Infect a Computer

The most common way in which the Osiris Ransomware is distributed is through the use of corrupted email attachments, often taking advantage of vulnerabilities in certain applications to download and install this threat. Because of this, one of the best ways to prevent the Osiris Ransomware infection is to handle unsolicited email messages with care and avoid file attachments or embedded links that may install the Osiris Ransomware or other threats on the victim's computer.

The following is the full text of the Osiris Ransomware ransom note, contained in its HTML file and desktop image:

All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about RSA and AES can be found here:
hxxp://en.wikipedia.org/wiki/RSA (cryptosystem)
hxxp://en.wikipedia.org/wiki/Advanced Encryption Standard
Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
To receive your private key follow one of the links:
If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: hxxp://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialisation.
3. Type in the address bar:
4. Follow the instructions on the site.
!!! Your personal identification ID: D56F3331E80D9E17 !!!'

This is a text that has been observed in various other variants of the Locky Ransomware family. When victims of the attack connect to the payment website, they receive the following message:

'Locky Decryptor™
We present a special software - Locky Decryptor™ -
which allows to decrypt and return control to all your encrypted files.
How to buy Locky Decryptor™?
You can make a payment with BitCoins, there are many methods to get them.
You should register BitCoin wallet:
Simplest online wallet or Some other methods of creating wallet
Purchasing Bitcoins, although it's not yet easy to buy bitcoins, it's getting simpler every day.
Send 2.5 BTC to Bitcoin address: 1BkR8zL6jAn8zcF4t6FM85DYLFG1dZ12ip
Note: Payment pending up to 30 mins or more for transaction confirmation, please be patient...
Refresh the page and download decryptor.
When Bitcoin transactions will receive one confirmation, you will be redirected to the page for downloading the decryptor.'


Patrick Sheldon Reply

I have a friend that open an email which later encrypted his documents and pictures. research this and found that it was the Osiris virus. is there a way to decrypt his document and pictures.

I have been infecter by OSIRIS 2e62 in my dropbox. how can i get ride od it?

Is there anyway to decipher the already encrypted files without having to use the Tor program?


Most Viewed