Locky Ransomware Shifts to .OSIRIS Extension

December 9, 2016 | J. Gomez

Locky ransomware continues to evolve and has again changed the filename extension used to encrypt files. This time using the file extension “.osiris” on all files it encrypts.

Locky will encrypt image files found on the system leaving them inaccessible unless the ransom is paid to acquire the decryption keys.

Figure 1 – Example of image files

Locky ransomware uses an email lure like the one shown in Figure 2 to get victims to open attachments.

Figure 2 – example of phishing email with Locky downloader attached

After infection, Locky will encrypt files and modify the systems desktop image as well as present an HTML page with ransom demands.

Figure 3 – Locky ransom demand page and .bmp desktop image

Ransomware like Locky is an ever present danger in today’s threat landscape and as seen here, under constant development in order to increase the chances it evades detection and affects more victims.

J. Gomez
About the Author

J. Gomez

Josh Gomez is a Senior Security Researcher with over fifteen years experience in the networking and security industries. Prior to Anomali, he was a senior member of FireEye Labs where he specialized in research and detection of exploit kits, malvertising and crimeware campaigns.

Get the latest threat intelligence news in your email.