Osiris variant from Locky


(Edwin Eekelaers) #1

Has anyone heard of this new Osiris variant from Locky and have you found tools to recover or remove the encrypted files? Was just in a bit of a panic here as they thought we were being hit at this moment. I’m trying to gather more information for when we do become the victim


(Lee Esselstrom) #2

We had 2 customers get hit with this one on Tuesday 12/6. It was an email with a subject of Inv# xxxxxxx for PO# xxxxxx. Had a .docm attachment. We got them shut down off the network, went on site cleaned it up and restored from backups. They did lose almost a full day of productivity though. Hoping they learned their lesson :slight_smile:


(Collin) #3

Haven’t seen anything promoting the ability to decrypt .osiris files yet but the following steps should be instituted regardless of crypto variant.

  1. Block any macro-enabled Office files in email outright - .docm, .xlsm, etc.
  2. Restrict where macro-enabled docs CAN run via GPO - only from certain fileshares, folders
  3. Turn on Shadow Copy on fileserver if a Windows Server
  4. Make sure you have good backups - Weekly full, Daily incremental/diff.
    BONUS ROUND Run EMET or MBAE

(Edwin Eekelaers) #4

Yeehaa, i’m a happy camper now… We got hit by Osiris in the company and right now it’s only a few machines… Now the big honcho’s in Management will have to listen about my desire to use KnowBe4’s trainings. Call the statement above sarcastic and it perhaps is but lowly me had it right and the higher ups were wrong


(Daniel Beato) #5

Hope all is good now :slight_smile:


(JD Stein) #6

I haven’t heard of it.