2016 was the year of ransomware, and Osiris played a big role. Numerous businesses, institutions, schools and even churches have had to deal with the most unpleasant surprise of finding their files encrypted and hijacked by hackers, and many have had to pay significant amounts in bitcoin in order to have their valuable data back. Some with good results, while many are still waiting for the promise of decryption to be delivered. Understanding Osiris ransomware facts give insights into this malware and what you can do to prevent it and remove it.
As ransomware continues to spread this year (and it seems it’s here to stay), desperate posts are flooding the web, asking “how to remove Osiris ransomware”. And, while different vendors have products to remove the dreaded “Egyptian curse”, the difficulty remains that the strong encryption and more sophisticated design of Osiris compared to some of its peers makes it difficult to decrypt without paying for the key or getting ransomware removal pros involved. Let’s examine some interesting Osiris ransomware facts:
- A family of dreadful deities: Osiris is not at all a new malware, but an evolution of the infamous Locky. Locky developers have provided ongoing maintenance and have relaunched the ransomware in different versions, and each release is named after a mythological god; hence, among the predecessors of Osiris are Odin, Thor and Aesir and this name is visible in the extension that the files encrypted by the malware present, so “.osiris” is the extension of a file encrypted by Osiris. Now an even more interesting connection is suggested by Palo Alto Networks that connects Locky and its variants (Osiris included) with the creators of the Dridex banking malware, given similarities in its distribution scheme.
- Vehicles of deception: Now that we’re talking about distribution, the constant of sending the ransomware in email attachments remain, while the shape of these emails varies but seems to be highly credible to many users. Subjects containing the words “Invoice”, “DHL”, “FEDEX”, “UPS” have tricked people who were actually expecting a bill or a delivery into opening the attachment, which is normally an Excel or Word file, which requires the user to enable macros and in this way is the payload delivered. Another distribution style that was highly successful was via Facebook, were after receiving an image via Facebook IM users would download it and install a Trojan named “Nemucod” according to some sources. Several iterations of the malware infection indicates that it’s also being used in spear-phishing campaigns, for instance, an affected business stated that the “invoice” file seemed to come from a reputed law firm that they deal with regularly. In order to be more familiarized with the style of the messages that deliver Osiris, go to the following malware traffic resource.
- Operation and singularities: Given its main distribution via excel spreadsheets requiring the enablement of macros, Osiris ransomware typically targets Windows systems and it does it by leveraging the potential of VBA macros which download a DLL files (of .spe extension typically) and use Rundll32.exe to execute it. Once installed, it will start looking for files to encrypt and change their names to random character sequences; so with Osiris it will be immediately noticeable to users that something’s wrong with the files. According to BleepingComputer, there’s a glitch in the code of Osiris so it doesn’t leave its typical instructions message in the user’s desktop, but in the user’s folder. You can learn a visual step by step of the malware’s operation in their article.
- A profitable business: After all that has been said, Osiris proliferation boils down to business; and big business it is. According to research performed by the Herjavec Group, hackers behind ransomware campaigns (in general, not Locky or Osiris specifically) managed to collect nearly 1 Billion USD in 2016. This proves how efficient the strategy is and how valuable data is to business and individuals nowadays. An interesting analysis provided by Enigma Software suggests the possibility that Osiris and Locky variants are actually been “leased” and utilized as MaaS or Malware as a Service, this due to the apparition and disappearance of the malware in dissimilar campaigns. Also the fact that not only massive distribution of the malware but also targeted distribution to sensitive targets has been noticed, seems to support the theory that several criminal groups are using the same tool to perpetrate their crimes.
- Paying the ransom might not get your data back: The last interesting Osiris ransomware facts is regarding payment. While there have been instances where the hackers delivering the malware have fulfilled the decryption of the files, there are many other instances where the victims never got a response after payment. Besides that, hackers using Locky, change their Command and Control servers quickly and many campaigns have been noticed to be very fast, trying to get as much as possible from the infection without being active long enough to be traced. So facing with the moral obligation of fulfilling the decryption for payment received or be exposed, hackers will not give thorough follow-up to every request. Another detail to notice is that even when files have been decrypted, there’s a likelihood many have become unusable after the attack. All these reasons point out that it’s better to spend your money preventing ransomware or having Osiris ransomware professionally removed, than paying the ransom.