Remove Osiris Ransomware and Restore the Encrypted Files

My files seem to be locked somehow. At the beginning, I thought it was my brother’s joke, but he denied the matter and pointed out that it is caused by a kind of ransomware named Osiris Ransomware because his’computer had met the ransomware before. Unfortunately, he didn’t get these files back and reinstall his computer. But I don’t want to reinstall my system and just want encrypted files back. Is there an effective way to remove the ransomware? Could you help me to decrypt my files? Any help will be appreciated.

It is advised to remove the ransomware firstly, and then decrypt your important files. Please click the button below and get quick automatic removal!



Know About Osiris Ransomware


Osiris Ransomware is a latest version of Locky Ransomware, which uses RSA-2048 and AES-128 encryption algorithms (click here to learn about RSA and AES). The ransomware was discovered in December, 2016. Due to Locky designers’ admiration of ancient mythology, every version of locky ransomware is usually named after a god such as Osiris, Thor, or Aesir. Orisis originally means that an Egyptian god who is the judge of the dead. As if to deserve the name, the ransomware actually make victims feel death’ presence. Like most of traditional ransomware, it encrypts victims’ files, which is not limited to one file type. The suffix .osiris will be added to each encrypted file name. The ransomware use the pattern “[8_random_characters]-[4_random_characters]-[4_random_characters]-[8_random_characters]-[12_random_characters].osiris” to renamed these encrypted files. The first 16 characters represent victims’ ID. For example, “1.jpg” will be renamed to “D89BBG4-G8A1-8G01-AR1G6L1K-HAKK3LOHGM31.orisirs”, as shown in the figure.

(Screenshot of encrypted files)



The ransomware make encryption at the same time, creating an HTML file and changing your desktop wallpaper, whose contents are similar to HTML’s.

(Screenshot of the desktop wallpaper)



The HTML file and wallpaper convey an identical message, which tells victim that their files are encrypted with RSA-2048 and AES-128 (click here to learn about RSA and AES) so that they can’t open their files. To decrypt their files, victims need to get a private key that is stored on Orisis developers’ secret server. And it provides victims with a four-step guide to get the key, as shown.

(Screenshot of HTML file)


The texts in the ransom note:

*+=$.$|| _.
+=$++ |*|$+ $|*
!!! IMPORTANT INFORMATION !!!All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here: of your files is only possible with the private key and decrypt program, which is on our
secret server
To receive your private key follow one of the links:If all of this addresses are not available, follow these steps:1. Download and install Tor Browser:
2. After a succesful installation, run the browser and wait for initialization.
3. Type in the address bar: g46mbrrzpfszonuk.onion/{ID}
4. Follow the instructions on the site.!!! Your personal identification ID: {ID}*|*=$=+$ $*.*|$=
_$=$ $|+
*=*=++ -|-_*-.-
+=__.-+$ $-+


Are you scared when you see the ransom note? Are you eager to follow the instructions provided by the ransomware? However, you should think twice before you pay for the ransom. Please ask yourself three questions below.


  • Do you know the size of ransom? Can you afford the ransom?

According to the research, the ransom is about 2.5 Bitcoin (~1880 USD). The victim is required to buy Bitcoins online and then transfer them to provided Bitcoin wallet. Bitcoin is a virtual online currency that most of ransomware demands. The kind of cryptocurrency was published by Satoshi Nakamoto and released in January 2009. It was generated by an activity named mining. By handling transaction verification and documents, participants are reward with Bitcoin. Users usually transact Bitcoin by using electronic wallet software on personal computer, mobile device and network etc. Currently, one Bitcoin is equivalent to ~ 750 USD. Sometimes the ransom is beyond the purchase abilities of some victims. It will be worthwhile for you pay for the ransom if you don’t get encrypted files back after purchase.

  • Is the payment way safe?

It is inevitable to use your account while paying for the ransom. However, all online payments are risky because any results are probable. When the payment fails or cheats you, what would you do? If you are on legitimate payment platform, you can call the customer-service staff and ask them to give reasonable explanations. But if you can’t find contact information, what would you do? The developers may provide fake contact information in case of report. Victims have no way to report, while they can record victims’ financial information that may be used for conducting malicious activities.

  • Are you sure that you can get encrypted files after paying for the ransom?

No one can guarantee that encrypted files can be decrypted eventually. Some cunning developers may give you a key that only decrypt a part of files and then ask you to pay more money to decrypt the rest of files. But you can’t sure this time that developers say is the last time to pay for the ransom.

If you are going to insist in paying for the ransom after having considered questions above, then just do it. However, you should know that there is a better way to deal with the problem.

As mentioned, victims are not recommended to pay for the ransom because there are various risks, such as computer security risk, identify theft and information loss. Decryption is admittedly important, but removing the ransomware is also even more important. Its existence may continue to do harm to your computer and lock more files. So, you’d better remove Osiris Ransomware from your computer firstly.




How Does Osiris Ransomware Sneak Into Your PC


According to the research, most of locky versions ransomware are distributed by suspicious emails. The subject line of spam emails are written in “Photo/Scan/Document from office”. Some email attachments (.zip file) are also enclosed in spam emails. .Zip file may contain .vbs file. If the file is extracted, it will wake up dangerous ransomware payload. And then remote servers quickly is connected and send ransomware to your system. Once activated, the ransomware starts to encrypt your important files within several minutes. To avoid detection by security software, some codes will be modified. Another distribution technique of locky ransowmare is sending Facebook messages to users purposely. However, Osiris’ developers like utilizing exploit kits and Trojans to deliver Osiris. The report says that Pony Trojan, Nemucod and other malware are helpful for distribution of Osiris ransowmare. Now you have known how the ransomware sneak into your computer, so you should take care when you receive emails and open downloads.


Summary about Osiris Ransomware

Threat Name Osiris Ransomware
Category Ransomware ; Malware
Risk Level 8bar
Operating System Windows XP, Windows 7, Windows Vista, Windows 8/8.1 and Windows 10
Relevant Versions Locky Ransomware

Relationship: Osiris Ransomware is a new variant of Locky Ransomware.

Discovered Date: February 16, 2016

Ransom: 0.5 Bitcoin (equivalent to $207.63)

Other Relevant Ransomware: .Aesir Ransomware, .Thor Ransomware, .Shit Ransomware and Odin Ransomware etc.

Symptoms ① Encrypt your important folders and files ②Demand ransom ③Comprimise your computer
Ransom 2.5 Bitcoin (~1880 USD)
Distribution Methods Via spam emails, system vulnerabilities, unsafe malvertising websites, Trojan and strange downloads.
Solution Read the detailed guide below.

What about RSA and AES


In 1977, three mathematicians Ron Rivest, Adi Shamir, and Leonard Adleman created a new algorithm, which can achieve asymmetric cryptography. So the algorithm (RSA) was named after these three mathematicians. And then an English mathematician called Clifford Cocks who works for the UK intelligence agency GCHQ had developed an equivalent system in 1973. By now, RSA has been the most widely used asymmetric encryption algorithm in secure data transmission. The encryption key of RAS is public and differs from the decryption key to keep secret. The longer length of the key is, the more difficult it is to be cracked. According to the documents that have been disclosed, the longest RSA key to be crack is 768 bits. The Length of the key that is longer than 728 bits hasn’t been cracked or announced yet.





AES (Advanced Encryption Standard), as known as Rijidael, was announced by U.S. National Institute of Standards and Techonology (NIST) in 2001. It was designed by Vincent Rijmen, Joan Daemen. By the end of 2006, AES has been one of the most popular symmetric algorithms. The “Symmetric-key” is that both encryption and decryption use the same key. The key size is 128, 192 or 256 bits. The Osiris Ransomware uses AES-128 and RAS-2048.


Osiris Ransomware Removal Instruction

Reboot Your PC in Safe Mode

Use Auto-fix Tool to Remove Osiris Ransomware

File Restoring Instruction

Option One Use Windows Previous Versions feature

Option Two Use System Restore

Osiris Ransomware Removal Instruction

Reboot Your PC in Safe Mode


Windows XP / Vista / 7

Go to Start menu and click on Restart from Shutdown pop-up menu.



When Your PC is activated again, please press F8 key all the time before the Windows logo appears.



When the Advanced Boot Options menu appears, select Safe Mode by using arrow keys and hitting Enter key.



For Windows 8 & 10

Enter Power menu and then hit Restart button while holding down Shift key.



  • Windows 8 Power option menu: Move the mouse to the right side of the screen > Click Settings (gear icon) > click Power button
  • Windows 10 Power button is on the Start menu.


And then you will see a blue screen, please select Troubleshoot > Advanced options > Windows Startup Settings > click Restart button.



When you see the screen below, select 5) Enable Safe Mode with Networking by pressing F5 or 5 key.




Use Auto-fix Tool to Remove Osiris Ransomware



It is difficult to find traces of the ransomware by using manual removal method. What show up in the screen clearly are your encrypted files rather than malicious files. To prevent your files from being deleted mistakenly, you’d better use auto-fix tool to remove computer threats. With updated virus database, anti-malware programs like Spyhunter can scan the system for all types of computer threats including Worms, Trojans, Rootkits, Spyware and PUP, which may degrade computer performance. Now try to run SpyHunter to remove the pest.


Download SpyHunter by clicking on the button below.



Open SpyHunter-Installer.exe (the downloaded file) to initiate the Installation.



Select your language and click OK button.



Click Continue button when Enigma Software Installer pops up.



Opt for I accept the EULA and Privacy Policy option and click Install button.



When the setup is completed, click Exit button.



After installation is completed, run the SpyHunter, go to “Start a New System Scan” tab, and click “Scan Computer Now!



After the scan is finished, screen shows all detected items in the list (click + to read more descriptions about the infection).

Now, press “Fix Threats” button to remove detected computer threat.



Restart the computer to take effect if you are asked by the program.

File Restoring Instruction


Option One Use Windows Previous Versions feature


Choose one encrypted file, right click on it and then select Properties.



Go to Previous Versions tab, and then select one Restore points when files haven’t been encrypted in the list.



Click Restore button when you are asked whether you want to restore the previous version.




How to find your encrypted file?

Open File Explorer (My Computer icon) , select View and select Change Folder and search option in drop-down menu of Option (for Windows 8/10)



The Folder Options window pops up, you need to opt for Show hidden files and folders if you didn’t choose it before.



Click Apply and OK button to apply the changes.

Type “.osiris” in the search box and hit Enter key.



And then search results related to Osiris Ransomware come out.


Option Two Use System Restore

Before using System Restore, you’d better close other running programs, especially antivirus program.


Windows XP/7/Vista

  • Press Ctrl + Shift + Esc key to open Task Manager


Tap Processes tab, select running process and then click End Process button.




Windows 8/10

Right click the taskbar and select Start Task Manager.



Select one program and click End Task button. (Check up more processes by clicking More details)



Tip: Don’t stop processes related to system by mistaken in case of system crash.

Right click on My Computer icon and then select Properties.



Click on System protection on left side.



Press System Restore button.



In the Restore system files and settings page, you can choose Recommended restore or Choose a different restore point, and then click Next button.



Choose a restore point when Osiris Ransomware doesn’t enter your computer and then click Next button.



Click Finish button to confirm your restore point. It required you to save any open files and close all programs (see above)


Click Yes button in the pop-up window and wait for completion of System Restore.


If you don’t close the antivirus program, the System Restore will be interrupted, as shown in the figure below. You can try System Restore again and choose a different restore point. If you continue to see this error, you can try an advanced recovery method.



The pop-up window below means that System Restore completes successfully.




Click Close button.


You are suggested to do a system scan again to optimize your computer after removal and data recovery.


Plumbytes Anti-Malware is also an effective detection & removal tool. Sometimes it can detect computer threats that other antivirus programs may ignore. Now use Plumbytes Anti-Malware to scan your computer and delete potential infections that takes opportunities to enter your computer while you are troubled by Osiris Ransomware.


Click on the button below to download Plumbytes Anti-Malware.


Install Plumbytes Anti-Malware by clicking INSTALL button.




After installation is done, run Plumbytes Anti-Malware by double-clicking onopenplumbytes (or Plumbytes Anti-Malware will run automatically).

Go to OVERVIEW, and then click Run a scan.



After scan is finished, all detected items will show in the list. You should click REMOVE SELECTED.



After the removal is complete, please restart the computer to take effect.

Or Use PCkeeper Antivirus.

Download PCKeep Antivirus Installer on your computer.


Open PCKeeper Antivirus Installer, and then click Run button when a windows below appears.


Install PCKeeper Antivirus by clicking Start Install button.



After installation is finished, you need to wait for completion of Gathering Data.



After Gathering Data is completed, click Full Scan or Custom Scan button.

  • Full Scan is recommended if you want to check the whole system for viruses.
  • Custom Scan is recommended if you want to quickly check specific files or folders.


Once the scan is done, you can check the box beside File Name and then click Delete button.



Restart your computer if you are required by the program.

Warm Reminder: Hackers won’t give you decryptors or a private key even though you have paid for the ransom. Unfortunately, the safe and free decryptors for the Osiris ransomware haven’t been published. It takes some time of computer expert to create decryptor. Currently, using System Restore or Previous Version feature will be a feasible solution if you have backed your system settings up before. In a word, you can’t pay the ransom by following the instruction of the ransomware. Victims should remove the ransowmare before data recovery. To quickly and safely remove it, automatic removal tool is a better choice.





How to Remove Hades Locker Ransomware and Recover Files?

Instruction to Remove Cerber 4.0 Ransomware

Helpful Guide to Remove Anonpop Fake Ransomware



The following video offers a complete guide for Osiris Ransomware removal. You’d better watch it in full-screen mode!

Share on FacebookShare on Google+Digg thisPin on PinterestShare on LinkedInShare on TumblrShare on RedditShare on StumbleUpon