Sarah W

Locky Ransomware (.locky, .zepto, .odin, .shit, .thor, .aesir, .zzzzz or .osiris)

Recommended Posts

Pinned posts

Locky is a ransomware family that first appeared in February last year. Locky uses AES to encrypt files. Encrypted files will have either ".locky", ".zepto", ".odin", ".shit", ".thor", ".aesir", ",zzzzz" or ".osiris" as an extension. The ransom note is named "_HELP_instructions.html", "_-INSTRUCTION.html", "OSIRIS-.html", "_Locky_recover_instructions.txt", "_WHAT_is.html" or "_HELP_instructions.bmp" and asks victims to contact via the tor links. Locky is currently not decryptable. More information can be found here.

If you have any questions about this ransomware, you can post here.

  • Upvote 1

Share this post


Link to post
Share on other sites
UnPinned posts

I got the OSIRIS virus through an email, now my photos and text files are encrypted.  I called around and only a couple of places said they could fix this, But the cost is out of my range.  I'm a disabled Sr. citizen living on social security, and the $150.00 and up they are asking is something I don't have. I need help badly! Please can you help me?  

Share this post


Link to post
Share on other sites

"Osiris" is a Locky ransomware variant.

Unfortunately Locky is one of the ones that uses a secure encryption on the files, and the private key to decrypt them can only be obtained by paying the ransom. Currently, there is no reliable way to recover files encrypted by Locky.

If you take your computer to a computer repair place for assistance, then you can let them know the following (they should understand what it means):

Locky deletes Volume Shadow Copies to prevent people from using ShadowExplorer to find backups of the files that were saved automatically, however it doesn't do this securely. There have been reports of people being able to use a file undelete utility such as Recuva to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies the odds of there being backup copies of important files in them are low, to begin with. That being said, it's probably still the best chance for recovery any of the files without paying the ransom. 

Share this post


Link to post
Share on other sites

Good night or day or moorning for all of the people in this comunity im a new member , and im seeking for help to solve a case wich is this: i have some files in my desktop that i got from an hard disk wich belonged to a friends pc , my friends pc got infected with a ransomware witch created a n extension called "shit" i brought the hard drive drive to my home ( my friend upgraded his pc , and gave is old hard drive) , i recoverd the files and now i have them , but i cant find a tool to decrypt them  anyewere  has i said the files have the "shit extension and as far i know they were encrypted by a locky ransom type virus what im asking is if someone knows a tool to decrypt this kind of malware i can find none!

I hoppe someone knows anything about this thank you for your help!

 

2017-01-31.png
Download Image

Share this post


Link to post
Share on other sites

I got fooled by an e-mail today that downloaded the "Osiris" ransomware. After working with both Dell and McAfee techs I think the virus is gone, but I'm left with hundreds, possibly thousands of excel, word, powerpoint and jpeg files that are encrypted. I've still got the e-mail with the attachment, thinking maybe someone would need to see it to help find a "cure". Any suggestions? I really need help!!!

OSIRIS-5a65.htm

EA45B68C--E743--EDDE--92D43973--D1360F6A4B51.osiris

  • Upvote 1

Share this post


Link to post
Share on other sites

Hello,

"Osiris" is a Locky ransomware variant.

Unfortunately Locky is one of the ones that uses a secure encryption on the files, and the private key to decrypt them can only be obtained by paying the ransom. Currently, there is no reliable way to recover files encrypted by Locky.

If you take your computer to a computer repair place for assistance, then you can let them know the following (they should understand what it means):

Locky deletes Volume Shadow Copies to prevent people from using ShadowExplorer to find backups of the files that were saved automatically, however it doesn't do this securely. There have been reports of people being able to use a file undelete utility such as Recuva to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies the odds of there being backup copies of important files in them are low, to begin with. That being said, it's probably still the best chance for recovery any of the files without paying the ransom.

Share this post


Link to post
Share on other sites

Hello,

If it is Locky then the files cannot be decrypted. It may be possible to recover the original files using forensic file recovery techniques, but that can be expensive.

Share this post


Link to post
Share on other sites
6 hours ago, Kevin Zoll said:

Hello,

If it is Locky then the files cannot be decrypted. It may be possible to recover the original files using forensic file recovery techniques, but that can be expensive.

Thank you very much for your information i will have to wait to see if a decryptor is found thank you again have a nice day!

Share this post


Link to post
Share on other sites

It is highly unlikely that a third-party decryption tool for Locky will be forthcoming anytime in the near future.  The encryption scheme used by Locky cannot be broken using today's methods and technologies.

Share this post


Link to post
Share on other sites
On 2/3/2017 at 1:24 AM, Kevin Zoll said:

It is highly unlikely that a third-party decryption tool for Locky will be forthcoming anytime in the near future.  The encryption scheme used by Locky cannot be broken using today's methods and technologies.

Hello, so you think it is poor try to keep locked data in separate HD and wait till decryption tool will be released. Because all my photos are locked by Osiris ransomware and I was hoping that effective decryptor will be released soon....:(

Share this post


Link to post
Share on other sites
2 hours ago, Tyler78 said:

Hello, so you think it is poor try to keep locked data in separate HD and wait till decryption tool will be released. Because all my photos are locked by Osiris ransomware and I was hoping that effective decryptor will be released soon....:(

No, that's a good idea. However, we have no idea if or when a decrypter will be released.

Regards,

Sarah

  • Upvote 1

Share this post


Link to post
Share on other sites

Please help me, all my files have been encrypted with.zzzzz extension and I need help how to decrypt and recover all affected by this virus.

Thanks,

Daniel 

Share this post


Link to post
Share on other sites

Hi Daniel,

I merged your post with the Locky topic.

Locky is unfortunately not decryptable. You can either backup your files and wait for a solution, or pay the criminals (we do not recommend this) currently. 

As a note, Emsisoft Anti-Malware would have prevented your system from being compromised and encrypted in the first place. So if you appreciate our support, why not do yourself and your files a favour and check our product out, and consider buying it.

Regards,

Sarah

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.