DAlisappi
asked on
virus encrypted files with OSIRIS extension
is there a DE-cryption tool to recover encrypted files?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
yesterday Jan.27 i searched internet for a solution, i found an organization that claims to have experience in de-crypting the files with osiris extension the name of this company website is redmosquito.co.uk,, i am not certain of their claim, how can i be certain that they are legitimate.
Send them one file and ask them to prove it
As there still exist flawed (or poorly coded) ransomware, decryption tools are still developed and enhanced to crack the encrypted files.
You can actually also use online scan service such as IDRansom (uses sample ransom note and encrypted files) or Crypto Sheriff (sample of encrypted files) to identify the Ransomware variant (from its origin family). There are online decryption tools published. One instance is from the "No More Ransom" portal which has make available decryption tools for Ransomware and their variants. Another is from security company, Emsisoft which has a comprehensive list of Decryptors.
I have compiled a common list (see Annex in the article below) for those publicly shared tools as a snapshot below (there will be more developed as new variant emerges).
https://www.experts-exchange.com/articles/28059/TL-DR-Ransomware.html
You can actually also use online scan service such as IDRansom (uses sample ransom note and encrypted files) or Crypto Sheriff (sample of encrypted files) to identify the Ransomware variant (from its origin family). There are online decryption tools published. One instance is from the "No More Ransom" portal which has make available decryption tools for Ransomware and their variants. Another is from security company, Emsisoft which has a comprehensive list of Decryptors.
I have compiled a common list (see Annex in the article below) for those publicly shared tools as a snapshot below (there will be more developed as new variant emerges).
https://www.experts-exchange.com/articles/28059/TL-DR-Ransomware.html
ASKER
i tried to copy one of the encrypted files to a usb stick and it failed or took a long time,, i renamed the file to *.txt and successfully copied to the usb stick and tried to open and again to failed to open.... most probably out of luck.
Tried to open?
ASKER
yes tried to open with a text editor.
Why? It is encrypted. Did you do that just to see if it opens?
ASKER
curious... using a stand alone computer to open the file.
It is a Locky variant.Unfortunately, there is still no way to decrypt Locky encrypted files for free. Locky OSIRIS variant being distributed via fake Excel Invoices.
Likely the it cannot be copy over to USB drive is also due to its filename, and maybe can try to shorten the name. Nonetheless the whole is not recognizable anymore as it ia encrypted.
The only way to recover encrypted files is via a backup, or if you are incredibly lucky, through Shadow Volume Copies. Though Locky does attempt to remove Shadow Volume Copies, in rare cases ransomware infections fail to do so for whatever reason.
Once Locky is installed it will scan the computer for certain file types and encrypt them. When encrypting a file, it will scramble the name and append the .osiris exension. For example, a file called test.jpg could be renamed to 11111111--1111--1111--FC8BB0BA--5FE9 D9C2B69A.o siris. The format for this naming scheme is [first_8_chars_of_id]--[ne xt_4_chars _of_id]--[ next_4_cha rs_of_id]- -[8_hexade cimal_char s]--[12_he xadecimal_ chars].osi ris.
When Locky has finished encrypting the files, it will display ransom notes that provide information on how to pay the ransom. The names of these ransom notes have changed for the OSIRIS Locky variant and are now named DesktopOSIRIS.bmp, DesktopOSIRIS.htm, OSIRIS-[4_numbers].htm, and OSIRIS-[4_numbers].htm.
Likely the it cannot be copy over to USB drive is also due to its filename, and maybe can try to shorten the name. Nonetheless the whole is not recognizable anymore as it ia encrypted.
You probably was infected by Locky Virus
Locky installed by Renamed DLL Files
When the VBA macro executes it will download a DLL installer into the %Temp% folder. These DLL files will not have the normal .dll extension, but are renamed with a non-dll extension such as .spe.
The Locky DLL I tested was being executed with a command below. Please note that the DLL name and the export being used to install Locky will not be same in all cases.
"C:\Windows\System32\rundl
This DLL file will then be executed using the legitimate Windows program called Rundll32.exe in order to install Locky on the computer.
You need to remove virus using AV software,
The only way to recover encrypted files is via a backup, or if you are incredibly lucky, through Shadow Volume Copies. Though Locky does attempt to remove Shadow Volume Copies, in rare cases ransomware infections fail to do so for whatever reason. Due to this, if you do not have a viable backup, I always suggest people try as a last resort to restore encrypted files from Shadow Volume Copies as well.