Locky Ransomware Shifts to .OSIRIS Extension

<p>Locky ransomware continues to evolve and has again changed the filename extension used to encrypt files. This time using the file extension “.osiris” on all files it encrypts.</p><p>Locky will encrypt image files found on the system leaving them inaccessible unless the ransom is paid to acquire the decryption keys.</p><p><img alt="" src="https://cdn.filestackcontent.com/0zSW2EUSQpDAM8DDi5MQ" style="width: 703px; height: 201px;"/></p><p><em>Figure 1 – Example of image files</em></p><p>Locky ransomware uses an email lure like the one shown in Figure 2 to get victims to open attachments.</p><p><img alt="" src="https://cdn.filestackcontent.com/WHjGYFjTbm06XADlpdNL" style="width: 853px; height: 259px;"/></p><p><em>Figure 2 – example of phishing email with Locky downloader attached</em></p><p>After infection, Locky will encrypt files and modify the systems desktop image as well as present an HTML page with ransom demands.</p><p><img alt="" src="https://cdn.filestackcontent.com/4iYBsAyAR6maLRe0Jn9Y" style="width: 572px; height: 429px;"/></p><p><em>Figure 3 – Locky ransom demand page and .bmp desktop image</em></p><p>Ransomware like Locky is an ever present danger in today’s threat landscape and as seen here, under constant development in order to increase the chances it evades detection and affects more victims.</p>