Virtual Event Today: Cyber AI & Automation Summit - Register/Login Now
Connect with us

Hi, what are you looking for?



Locky Variant Osiris Distributed via Excel Documents

The infamous Locky ransomware has once again switched to a new extension to append to encrypted files, but reverted to malicious Office documents for distribution, security researchers have discovered.

The infamous Locky ransomware has once again switched to a new extension to append to encrypted files, but reverted to malicious Office documents for distribution, security researchers have discovered.

The latest Locky variant is appending the .osiris extension to encrypted files, marking a switch from the Norse mythology to Egyptian mythology. The change comes only a couple of weeks after Locky was seen using the .aesir extension.

The ransomware has switched between numerous extensions since its initial appearance in February, when it was appending .locky to encrypted files. Some of the best known other variants spotted thus far include Zepto, Odin and Thor.

Also interesting about the new Locky variant is the use of malicious Excel documents for distribution. Attached to spam emails pretending to be invoices, these documents are hidden inside Zip archives. They contain macros that, once enabled, download and install Locky onto the victim’s computer.

As soon as the user opens the Excel spreadsheet, a blank sheet is displayed and the user is prompted to enable macro to view the content. The name of the sheet is “Лист1”, which in Ukrainian means “Sheet1.” According to BleepingComputer, this could be a clear indicator that Locky’s developer is from Ukraine.

As soon as the victim enables the malicious macros, a VBA macro will download a DLL (Dynamic-link library) file and load it using Windows’ legitimate Rundll32.exe program. The downloaded file (which is saved in the %Temp% folder) doesn’t show the DLL extension because it has been renamed, but it will work as any such library was intended to work.

This behavior has been associated with Locky before, especially since the ransomware was seen spreading via DLL files earlier this year, but isn’t limited to this malware family alone. In the case of this Locky variant, the DLL name and the export used to install the threat might vary from one infection to another, researchers say.

Once installed on the victim’s computer, however, Locky would behave the same as before: it would search the local drives and network shares for files to encrypt. The ransomware would rename the encrypted files and also appends the .osiris extension to them.

Advertisement. Scroll to continue reading.

As soon as the encryption process has been completed, Locky drops a ransom note to inform the victim on what happened to their files. The ransom note’s name has been specifically tailored for the new OSIRIS variant, the researchers say.

To stay protected, users should avoid downloading attachments coming from sources they don’t recognize. They should also pay attention to macro-enabled documents, as they often hide malware. Installing an anti-malware solution and keeping it updated at all times should also help prevent infections from happening.

Related: Fake ISP Complaint Emails Distribute Locky Ransomware Variant

Related: OPM-Impersonating Spam Emails Distribute Locky Ransomware

Related: Locky Ransomware Fuels Surge in .RAR, JavaScript Attachments

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...