Osiris ransomware is the latest variant of Locky. As with other versions of the ransomware, there is no free way of unlocking encrypted files if a viable backup of data does not exist.

Cybercriminals use a variety of techniques and attack vectors to spread malicious files such as ransomware and malware. Exploit kits are popular as they can be hidden on websites and used to silently probe visitors’ browsers for vulnerabilities in plugins such as Adobe Flash, Microsoft Silverlight, and Oracle Java. Those vulnerabilities are leveraged to download malware. Malvertising – malicious web adverts – are often used to direct users to these malicious webpages; however, all too often, links to these websites are sent via spam email.

The rise in malware and ransomware attacks over the past few years has prompted many organizations to start providing security awareness training to staff members. Employees are instructed never to click on a link contained in an email unless they are sure that it is genuine.

However, even with security awareness training, a great many employees inadvertently infect their computers with malware or accidentally download ransomware. One of the biggest problems is not malicious links in spam email but malicious attachments. Cybercriminals have increased the use of malicious file attachments in the last year, especially to infect end users with ransomware.

One of the biggest ransomware threats in the past 12 months has been Locky. Locky has been spread via exploit kits in the past, although spam email is now primarily used to infect users.

Office Macros Used to Infect Computers with Osiris Ransomware

The gang behind Locky frequently updates the ransomware, as well as the methods used to fool end users into installing the malicious file-encryptor. The latest Locky variant – Osiris ransomware – encrypts files and adds the .osiris extension to encrypted files.

Locky is commonly spread via malicious macros in Word documents. Typically, the malicious Word documents claim to be invoices, purchase orders, or notifications of missed parcel deliveries.

However, a recent campaign used to distribute the Osiris ransomware variant switches from .DOC files to Excel spreadsheets (.XLS). Recipients of the emails are told the Excel spreadsheet is an invoice. Opening the attached Excel spreadsheet will not automatically result in an Osiris ransomware infection if macros have not been set to run automatically. The user will be presented with a blank spreadsheet and a prompt to enable macros to view the content of the file.

Clicking on ‘Enable Content’ will launch a VBA script that downloads a Dynamic Link Library (DLL) file, which is automatically executed using the Windows file Rundll32.exe. That DLL file is used to download Osiris ransomware. Osiris ransomware encrypts a wide range of file types and deletes Windows Shadow Volume Copies, preventing the user from restoring the computer to the configuration before the ransomware was installed. The only option for recovery from an Osiris ransomware infection is to pay the ransom demand or to wipe the system and restore files from backups.

Protecting Networks From E-Mail-Based Ransomware and Malware Attacks

An advanced spam filtering solution such as SpamTitan can be used to block the vast majority of email-borne threats. SpamTitan performs a wide range of front line tests to rapidly identify spam email and prevent it from being delivered, including RBL, SPF, Greylisting and SMTP controls.

SpamTitan uses two enterprise-class anti-virus engines to scan for malicious attachments – Kaspersky Anti-Virus and ClamAV – to maximize detection rates.

SpamTitan can also be configured to block specific files attachments commonly used by cybercriminals to infect end users: EXE files and JavaScript files for example. The contents of compressed files are also automatically scanned by SpamTitan.

Host-based tests are performed to examine mail headers, while the contents of messages are subjected to a Bayesian analysis to identify common spam signatures and spam-like content. Messages are also scanned for malicious links.

These extensive tests ensure SpamTitan blocks 99.97% of spam emails, preventing malicious messages from being delivered to end users. SpamTitan has also been independently tested and shown to have an exceptionally low false positive rate of just 0.03%.

If you want to keep your network protected from malicious spam emails and reduce reliance on employees’ spam detection abilities, contact the TitanHQ team today. SpamTitan is available on a 30-day free trial, allowing you to fully test the product and discover the difference SpamTitan makes at your organization before committing to a purchase.