How to recover
Files encrypted by Osiris ransomware
from Windows

I need your help urgently!! I lost access to photos and docs on stored on my PC. It seems that they are locked because all of them carry .osiris file extension. I have zero backups and already feel frustrated!!! Please tell me if it’s possible to get my files back?

Osiris ransomware is a serious virus which belongs to the notorious Locky family. In comparison to the earlier versions, Osiris stands out as one of the most dangerous due to the fact that it’s capable of injecting computers without being noticed by anti-virus programs. According to the recent research, the detection ratio is 8/56. The dissemination of Osiris do not deviate from its ancestors, meaning that it’s typicaly spread via attachments of spam emails. The subject of such emails is "Photo/Scan/Document from office" and the .zip file is always attached. Osiris and other Locky virus versions may be dispersed in spam messages on Facebook as well, which contain a photo_9166.svg file.[5] file. When the malicious file is opened, the system downloads .vbs file, which connects to the Internet and downloads the Osiris ransomware immediately. After that, the virus scans the system and within a couple of minutes encrypts the files that conform to the target file extensions list. For this purpose, it uses RSA-2048 and AES-128 encryption models. All encoded files get .osiris file extension and are renamed by a set of symbols, 16 of which represent victim’s ID and the rest 12 are random.

Unfortunately, but Locky and its variants are very serious computer infections, so expecting that retrieving personal data without paying the ransom will be easy is naive. When the virus finishes the encryption procedure, victim’s desktop picture is changed with a Locky wallpaper and the instructions on how the ransom has to be paid are displayed. Osiris ransomware offers to buy  Locky Decryptor for 0.5-4 Bitcoins; however, the chances that this tool will restore your files are very low. Instead of that, you may enroll your PC into the botnet of spam leading to further infections and cyber crimes. Therefore, our strongest recommendation would be to remove Osiris ransomware or another Locky virus variant with a professional anti-malware tool, such as [d1] and then try to recover your data using backups or data recovery tool.

NOTE: before you start with the file decryption, make sure that you have removed Osiris virus permanently. For this purpose, run a full system scan with a respectful and updated antivirus tool and let it remove all the malicious files and codes.

You can always restore files from USB, CD, DVD, cloud storage or hard disk. Unfortunately, that’s not possible if you have never created backups, data recovery is not possible. In this case, you can try using a data recovery tool.

Method 1. Decrypt data with Data Recovery Pro

Data Recovery Tool has been developed to help people restore personal files that were accidentally deleted or lost after a system crash. However, its developers took into account malicious activities of ransoware viruses and improved the software in a way it could restore at least a part of virus-infected files. Therefore, this software is worth given.

1. Download [rev id=”Data Recovery Pro”] and run the setup file.
2. Follow the instructions.
3. Set the software to run a scan. Wait for it to finish and see what files did it manage to find.
4. Select corrupted files and click Recover.

Method 2. Enable Windows Previous Versions feature

This option is available only if System Restore function has been enabled on your PC. If it was, you have to access the latest copy of your files and restore it manually. Unfortunately, but using this method you will have to restore each file separately.

1. Find the file that has been encrypted by Osiris ransomware and right-click on it.
2. Select Properties and click on Previous Versions tab.
3. Open Folder versions and find all available copies of the file.
4. Select the last version and click Restore.

Method 3. Retrieve Shadow Volume Copies

In case you are dealing with a virus, which does not affect Shadow Volume Copies, then it won't be difficult to retrieve damaged files. Shadow Volume Copies are file copies that are automatically created and stored on the system. If these copies are not damaged by the ransomware, it's possible to use ShadowExplorer utility and restore these copies. Unfortunately, but Locky and previous varients are know for affecting shadow volume copies as well, but it's not clear if Osiris virus damages them as well, so it's worth trying this app as well.

1. Download and run the program. You may find it here.
2. Launch the software and find the folder that you want to restore the first.
3. Click on it and select Export.
4. Repat the same with all folders that contain compromised files.