Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Osiris (Locky) Recovery


  • This topic is locked This topic is locked
1 reply to this topic

#1 seattlesteph

seattlesteph

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 29 January 2017 - 07:39 PM

I am just recovering from an Osiris (Locky?)  infection contracted from an attachment to an email.  The email purported to be from the US Postal Service regarding a lost package. The USPS actually had lost a package of mine lately, so this was not a suprise communication.  Everything I tried came from a forum, so maybe something in my experience will help someone else. And I have some clean-up questions at the end that I hope somebody has some ideas for.

 

All my text files were encrypted and a text ransom note (“Osiris-xxxx.htm.”) had been planted in each affected folder.  No other file types appear to have been affected.  All encrypted files and ransom notes had been "modified" during the same 15-20 minutes that I had tried to open the attachment.

 

When I tried to delete or isolate encrypted or Osiris files into folders, I was told that the action required “Permission” from myself.

 

When I searched my computer for “Osiris,” it returned 7,600-some files – all my encrypted text files plus a ransom note in each affected folder. From this Search Results list, I located the affected folders and made an effort to recover Shadow copies.

 

Following your instructions, I right-clicked the folder, went to Properties, and selected “Previous Versions.” Then I selected the most recent version, just a week or so ago, and copied the previous version to an external drive. “Restore” required “permission” from myself, but “Copy” worked. It worked on multiple layers of folders, but I am not sure how many.

 

Once my files were safe, I turned to the system. Norton (provided free by Comcast) found no threats. Spybot found only a handful of cookies. MBAM, downloaded from BC, would not work. "Unable to connect service."  Not after Rkill. Not renamed with multiple aliases. Not with MBAM file names added to Norton's “Exceptions” list. Not with Norton turned completely off.

 

This was interesting:  MBARW found (and removed?) Trojan.fileless.MTGen, identified as a Registry Value.  But  MBAM still would not work – kept telling me “Unable to connect Service.”

 

So I used System Restore to reset the system. The available set point with the date that matched my recovered files identified itself as being when “Backups of Service Pack removed.” I don't know anything about any recent Service Packs, backups, or the removal of such, so went further back and restored to the previous date, about a month earlier. Then installed all the Win Updates since then.

 

Ran MBAM successfully from the trial available at the MBAM site. No download required. No threats found.

 

Next I expect to copy my text files back into my hard drive.

 

But a new search of the HD for “Osiris” shows over a dozen Osiris files and their respective ransom notes (text files named “Osiris-xxxx.htm.”) Attempting the previously successful method, not even copying allows me to acess these without “permission.” Querying the individual files, no Previous Version exists.

 

These residual files were all “modified” (created?) in the ten minutes following the initial infection. They did not appear when I searched for Osiris files before (perhaps because they were not indexed yet?)

 

They are mostly in the C:\Program Data folder.

 

QUESTIONS:

It seems that if they were part of my own encrypted text files, they would have been recovered with the rest of my text files.

And it seems that if they were part of the system files, they would have been eliminated or replaced during System Restore.

So can I safely delete them all?

Is there anything else I should do before moving my files back onto my HD?

 

POST SCRIPT:
Mozilla Thunderbird text settings have also been impacted, so I performed a manual update, but that did not help. Or maybe it caused some of these issues?

  1. All dictionaries had been removed, so the spellchecker appeared but was blank until a dictionary was re-installed.

  2. View/ Message Body had been changed from "Original html" to "Simple html," causing the "View Remote Content" bar to disappear. It came back when I changed View/ Message Body back to "Original html."

 

 



BC AdBot (Login to Remove)

 


#2 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,378 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:06:48 AM

Posted 29 January 2017 - 07:52 PM

There is an ongoing discussion in this topic where you can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

https://www.bleepingcomputer.com/forums/t/638608/osiris-shadow-files-and-cleanup-questions/

 

 

 

Thanks
The BC Staff


Edited by NickAu, 29 January 2017 - 07:57 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users