Once again, the developers of the Locky Ransomware have decided to change the extension of encrypted files.  This time, the ransomware developers moved away from Norse gods and into Egyptian mythology by using the .osiris extension for encrypted files.

Early this morning, R0bert R0senb0rg tweeted that Locky was now appending the .osiris extension to files encrypted by the ransomware. Later, operations6 tweeted that this campaign is being distributed through Excel email attachments that contain macros to download and install Locky.

Files encrypted with the OSIRIS Locky Ransomware Variant
Files encrypted with the OSIRIS Locky Ransomware Variant

Unfortunately, there is still no way to decrypt Locky encrypted files for free.

Locky OSIRIS variant being distributed via fake Excel Invoices

Thanks to Jiri Kropac, I was able to receive some SPAM emails are being used to spread the OSIRIS Locky ransomware. These emails pretend to be invoices that contain a subject of Invoice Inv[random_numbers] and contain a zip attachment with a name like Invoice_Inv[random_numbers].xls

Locky OSIRIS Variant SPAM Email
Locky OSIRIS Variant SPAM Email

When the Excel spreadsheet is opened a user will be greeted with a blank sheet that prompt the user to enable macros. An interesting characteristic of this workbook is that the name of the sheet is Лист1, which is Ukrainian for Sheet1. This may indicate the origins of the developers. 

Update 12/6/16, a visitor named Simbelmayne posted in the comments stating that this is not Ukrainian, but a Russian localization of Excel.

Excel Spreadsheet Distributing Locky
Excel Spreadsheet Distributing Locky

When a user enables the macros, a VBA macro will fire that downloads a DLL file and executes it using Rundll32.exe.  You can see a portion of the extracted VBA macro below.

Locky Installer VBA Macro
Locky Installer VBA Macro

Locky installed by Renamed DLL Files

When the VBA macro executes it will download a DLL installer into the %Temp% folder. These DLL files will not have the normal .dll extension, but are renamed with a non-dll extension such as .spe.

This DLL file will then be executed using the legitimate Windows program called Rundll32.exe in order to install Locky on the computer.

Rundll32.exe installing Locky
Rundll32.exe installing Locky

The Locky DLL I tested was being executed with a command below. Please note that the DLL name and the export being used to install Locky will not be same in all cases.

"C:\Windows\System32\rundll32.exe" %Temp%\shtefans1.spe,plan

Once Locky is installed it will scan the computer for certain file types and encrypt them. When encrypting a file, it will scramble the name and append the .osiris exension. For example, a file called test.jpg could be renamed to 11111111--1111--1111--FC8BB0BA--5FE9D9C2B69A.osiris. The format for this naming scheme is [first_8_chars_of_id]--[next_4_chars_of_id]--[next_4_chars_of_id]--[8_hexadecimal_chars]--[12_hexadecimal_chars].osiris.

When Locky has finished encrypting the files, it will display ransom notes that provide information on how to pay the ransom. The names of these ransom notes have changed for the OSIRIS Locky variant and are now named DesktopOSIRIS.bmp, DesktopOSIRIS.htm, OSIRIS-[4_numbers].htm, and OSIRIS-[4_numbers].htm.

Locky Ransom Note
Locky Ransom Note

An interesting note about the current version being distributed is that there is a small bug in the code that does not name two of the ransom notes correctly. Normally, the %UserpProfile%\DesktopOSIRIS.bmp and %UserProfile%\DesktopOSIRIS.htm would be saved on the victim's desktop as OSIRIS.bmp and OSIRIS.htm. It seems when the developers changed the filename, they forgot to add a trailing backslash after Desktop, so the files are stored in the %UserProfile% with Desktop prepended to the intended name.

It is not possible to decrypt the Locky Ransomware OSIRIS Variant

Unfortunately, it is still not possible to decrypt .OSIRIS files encrypted by the Locky Ransomware for free.

The only way to recover encrypted files is via a backup, or if you are incredibly lucky, through Shadow Volume Copies. Though Locky does attempt to remove Shadow Volume Copies, in rare cases ransomware infections fail to do so for whatever reason. Due to this, if you do not have a viable backup, I always suggest people try as a last resort to restore encrypted files from Shadow Volume Copies as well.

 

Related Articles:

Attacks on Citrix NetScaler systems linked to ransomware actor

New Ymir ransomware partners with RustyStealer in attacks

Halliburton reports $35 million loss after ransomware attack

Critical Veeam RCE bug now used in Frag ransomware attacks

Meet Interlock — The new ransomware targeting FreeBSD servers