How to remove Osiris

SpyHunter is free tool to detect the virus, to delete malware you need to purchase the full version. More info about SpyHunter, uninstall guide.

Only a few weeks have passed since we told you about the last update of Locky virus, and now struck once again. A new extension is called Osiris. Obviously, the knowledge of hackers on the part of Norse mythology had exhausted, and now they will use the names of the ancient Egyptian gods. This time, however, some changes have occurred not only in the name of the program, but in the method of distribution.

Osiris ransomware virus

The latest version of Locky still spreads via spam e-mail, but now in the form of an Excel spreadsheet. The letters that contain Osiris virus pretend to be invoices and have names like Invoice Inv [12 random digits]. The letters contain zip attachment, named Invoice Inv [12 random digits].xls. The principle is the same: user receives a letter and thinks that it is somehow related to his job, or is important in some way. The letters are made in serious business manner, so user opens them automatically, and does not think that they might be dangerous.

Osiris encypts files

When the user opens the attachment, he sees an empty Excel tab, and a warning that macros are disabled, and the content is not available. The table has one interesting feature: despite the fact that the entire interface is in English, tab is called "Лист 1", which translates from Russian as "Sheet 1", and is a default name of new sheet in Excel. This feature can be a random tip about the whereabouts of the creators of the virus or the deliberate misinformation. As soon as the user turns on the macros, run a VBA macro. This macro downloads the DLL file, which runs with the help of rundll32.exe, and downloads Osiris ransomware onto user’s computer.

Further actions of the virus don’t differ from the actions of its previous versions. After penetration ist carries out the hard disk scan, searches for files that meet the requirements, and encrypts them. After the encryption on the desktop appear messages with ransom demands and all the files on the computer are renamed and become an extension .osiris.

How to remove Osiris ransomware

Removal of Osiris is the same as the removal of any other virus, and differs only in that it must be done in Safe Mode.

Step 1. Boot into Safe mode

Safe mode

Start -> Msconfig.exe

Safe mode. Step 1

On the tab Boot select Safe boot

Safe mode. Step 2

Step 2. Check Startup folder

Start -> Msconfig.exe ->Disable unknown programs in the Startup tab


Step 3. Check hosts file

Modify hosts file, that located in C:\Windows\System32\drivers\etc\ .

Hosts file.Step 1

Open the file with Notepad and delete suspicious strings.

Hosts file.Step 2

It has to look like this:

Hosts file.Step 3

Step 4. Scan the system with antiviral scanner


Special Offer

Antivirus scanner

Why we recommend SpyHunter antimalware

Detects most kind of threats: malicious files and even registry keys of malware will be found

Protects your system in the future

24/7 free support team

SpyHunter's scanner is only for malware detection. If program detects infected elements on the computer, you will need to purchase malware removal tool for $39,99 to delete threats. SpyHunter has Free Trial for one remediation and removal, subject to a 48-hour waiting period. Uninstall steps and additional information EULA , Privacy Policy and Threat Assessment Criteria.

bwd  Instructions 1/2  fwd

Step 5. Disable Safe mode

Start -> Msconfig.exe ->Disable Safe boot in the Boot tab

Deactivate Safe mode

How to decrypt .osiris files

At the moment, we cannot help you decipher the data, as the work on breaking this version of the virus is just begun. However, there are some data recovery techniques that in any case are worth to try. In addition, some sites can provide you with the most current and accurate information on the progress of Osiris ransomware research. All the necessary information about the decrypting .osiris files can be found in our article, called how to decrypt files, corrupted by ransomware.

This website uses cookies to improve your experience. If you continue using the site, we will assume that you accept our cookies policy.