Osiris Ransomware: new addition to the Locky family.

Acronis has developed a New Generation technology that proactively prevents zero-day infections, enabling users to prevent ransomware attacks and recover data without paying any ransom. Yesterday, we discovered a new mutation of Osiris ransomware that easily bypassed Windows Defender. Today, it wasn’t so lucky, but there is already a new version that fooled the traditional security software again. Acronis Active Protection™ is the only technology that is able to block all versions of Osiris ransomware attacks. And what’s more, it’s capable of instantly restoring any encrypted data without contacting the crooks or paying any ransom. This is possible because of integration with Acronis Cloud. The only trick is that it needs to run on your computer when the ransomware strikes.

Infection of Cockrell Hill Police Department in Texas that led to the loss of eight years of critical evidence data could’ve been prevented if Acronis product have been installed there.

Here are some details of the new Osiris ransomware.

  • Osiris is the 7th generation of the Locky ransomware / crypto virus, traditionally spread by SPAM campaigns;
  • It’s difficult to detect as it uses standard Windows components to download and execute the payload (scripts and libraries);
  • Osiris has inbuilt detection of virtualization, which complicates the job of debugging and reverse engineering using a virtual machine; this algorithm is heavily modified compare to the initial version from June 2016.
  • It infects local devices and easily spreads across the network to infect other computers and network folders;
  • Osiris can also be distributed via CRM/Customer support systems (including cloud based) across organizational boundaries. Infected user in one organization can send an email to CRM system email address; its internal parser parses incoming email and puts malicious attachment to automatically generated ticket. Customer support engineer opens the tickets, open Excel attachment and infect the network.
  • As Acronis predicted, ransomware crooks has started to attack backup solutions. Osiris directly attacks Microsoft Volume Shadow Copy Service (VSS) available in every copy of MS Windows and delete already created Shadows copies;
  • Osiris uses strong encryption algorithms, therefore affected data cannot be decrypted by any third-part tools;
  • It affects Windows and possibly Mac and Android devices;

 

Acronis Active Protection™, a combination of integrated security and backup solution, is capable of detecting and instantly recovering files attacked by Osiris.

Evolution of the Lockyransome family

Locky ransomware has undergone another facelift, as cyber criminals roll out updates to one of the most common and damaging families of file-encrypting malware. The new ransomware is named Osiris, after the Egyptian god of the afterlife, and comes with improved features designed to attack backups and avoid being detected. It appends the .orisis extension to the end of the encrypted files and follows the standard pattern of ransomware infection: Invade, Encrypt, Extort. Riding on the back of Locky’s success, Osiris is one of the most serious cyber security treats computer users are facing today.

Locky was first discovered in February 2016 and has since undergone at least seven changes, trying to stay ahead of the security vendors trying to detect and stop this type of ransmoware.

  • .locky — February 2016
  • .zepto — June 2016. One month later, Locky started supporting offline encryption with embedded RSA keys in case it wasn’t able to reach its C&Cs.
  • .odin — September 2016
  • .shit, .thor — October 2016
  • .aesir — November 2016
  • .zzzzz, .osiris — December 2016

Acronis Security Team investigated the following Osiris ransomware sample:

  • File Name: ekijLpDlRXB.zk
  • Size: 161625 bytes
  • Date: 29.01.2017
  • MD5: 3545436c22a9a43e29396df87823013d

 

It should also be noted by some researchers that Osiris also affects Apple Mac and Android devices. Acronis Security Team is currently conducting investigate and a new report will be released separately.

Distribution

  1. SPAM. Typically, Osiris ransomware is distributed through SPAM emails with the words “Invoice” or “Order Confirmation” in the subject line and a compressed attachment containing the malicious script. It can be an Excel file with a VBA macro or a .jse executable script (a dropper). When executed, it downloads a DLL file and runs it with the help of Rundll32.exe.

 

Osiris authors try to hide ransomware by not using .exe executables and instead using standard Windows components to launch their scripts and DLL files.

 

  1. Malicious advertising (Malvertising). Ransomware crooks use legitimate advertising networks to serve cleverly designed ads that distribute ransomware with little or no user interaction required. Some of the websites affected last year included BBC, MSN, and AOL, with cyber criminals taking advantage of the automated ad networks, which allowed them to serve malicious ads after the their account passed initial verification checks.

 

Infection  of corporate networks

Just like Locky, Osiris is classified as a Trojan crypto-virus with the worm-like distribution technique. It has the capacity to spread over the network without any user interaction with some victims reporting the need to shut down the domain controller to stop the spreading of the attack. Osiris is capable to infect thousands of shared folders, network-attached drives, and other machines on the same network. The damage from losing that many devices on the same network can be fatal for any business.

Osiris can also be distributed via CRM/Customer support systems (including cloud based) across organizational boundaries. Infected user in one organization can send an email to CRM system email address; Its internal parser parses incoming email and puts malicious attachment to automatically generated ticket. Customer support engineer opens the tickets, open Excel attachment and infect the network.

Infection

The latest version of the Osiris dropper sampled on 29/01/2017 is 71 KB in size, which is twice as large compared to the previous samples collected in December 2016. It is also currently undetectable by Windows Defender.

First attempts to download the payload was by contacting a Polish server.

Originally posted on Digitalisation world February 8th 2017