How to remove Osiris virus and restore encrypted files

Few days ago the latest version of Locky ransomware was discovered. First there were several reports from different malware researchers, such as Robert Rosenborg and Jiri Kropac, but now we know for sure that Locky developers had enough of Scandinavian mythology, and started to call their products in the names of Egyptian gods. The new version is called Osiris and it has some differences from the previous ones. Of course, the main task of hackers was to spoil the work of malware researchers, and they did it well. But we also see the changes in distribution method, and some minor mistakes, about which we will tell you.



Let’s begin from the most important info: the ransom amount is now 2.5 BTC (about $1850). There are few changes in design of the ransom note, and some files are called in other way, but the essence is same: the virus encrypts your files and demands money for them. The list of extensions is pretty wide, so there is no chance to avoid the infection with help of some exotic extension. The encryption algorithms, used by Locky are also very strong. Actually, AES and RSA algorithms are, for now, the strongest in the world. They are strong enough to be used by US government, as well as by governments and military forces of many other countries all over the world. As the virus is now called Osiris, it appends the .osiris extension to the encrypted files.



Most of changes, appeared in this version, are related to the method of distribution. We’ve received a report about it, and we know that Osiris uses the Excel tab to enter user’s PC. In previous versions there were letters from the names of such companies as FedEx, Amazon, eBay or other, and now the letter comes from the unknown person and means to ne an invoice. Probably, it’s a nice move, because people think that if somebody sends you the invoice, he is somehow related to your business or job. The letters are called Invoice Inv and supported by long string of random numbers. The Excel attachment has the same name as the letter. As always, all efforts of hackers are aimed at forcing user to click on the attachment. When he does, he sees the blank Excel sheet with the notification that macros are disabled. If user enables macros, the VBA macro starts, and initiates the download of DLL file which, while being executed, downloads the installer of the virus. This system is actually too complicated, it has too many links which might be weak and cause the hack. But the system works, and we receive multiple reports about new victims of this virus.

For now, there is no way to decrypt the .osiris files, and the only method to recover them is to load a backup. The backup must be saved before virus got into the system, and must be stored in decently protected cloud storage, or on an external media. You can easily count the needed period: the virus installs itself, and wait until you reboot your PC to begin the encryption process. So, if the backup was made before before last reboot – it is decent and can be used to recover the data. The other ways are unreliable and can’t guarantee you the 100% result. But, if you have no choice, you can try them. All methods are described in our article about how to recover the files, encrypted by ransomware.

So, if you have no backup, and regular data recovery methods don’t help – the only thing to do is to remove the virus from your PC. After that, gather all encrypted files in one folder, and wait until the decent decryption tool will be released. To remove Osiris ransomware you can use our instructions for manual deletion:


Special Offer

Download Spyhunter - Anti-malware scanner

We advise downloading SpyHunter to see, if it can detect malware for you.

Spyhunter has a biggest malware database

It protects the system against all kinds of threats: Trojans, adware and hijackers

24/7 Free Support Team

SpyHunter scanner detects threats and malware for free, but to remove infected elements you need to purchase a full version of program for 39.99$. More information about Spyhunter, EULA and Privacy policy.

Removal instruction




Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok


Step 3. Remove virus files


Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%


Step 4. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder



  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:



Step 5. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 6. Scan computer with antivirus


Step 7. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot
Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 5.00 [1 Vote]


0 #1 Himento Lorez 2016-12-12 09:31
:sad: :-? :-x :eek:

Add comment

Security code



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience