Connect with us

Hi, what are you looking for?



Locky Variant Osiris Distributed via Excel Documents

The infamous Locky ransomware has once again switched to a new extension to append to encrypted files, but reverted to malicious Office documents for distribution, security researchers have discovered.

The infamous Locky ransomware has once again switched to a new extension to append to encrypted files, but reverted to malicious Office documents for distribution, security researchers have discovered.

The latest Locky variant is appending the .osiris extension to encrypted files, marking a switch from the Norse mythology to Egyptian mythology. The change comes only a couple of weeks after Locky was seen using the .aesir extension.

The ransomware has switched between numerous extensions since its initial appearance in February, when it was appending .locky to encrypted files. Some of the best known other variants spotted thus far include Zepto, Odin and Thor.

Also interesting about the new Locky variant is the use of malicious Excel documents for distribution. Attached to spam emails pretending to be invoices, these documents are hidden inside Zip archives. They contain macros that, once enabled, download and install Locky onto the victim’s computer.

As soon as the user opens the Excel spreadsheet, a blank sheet is displayed and the user is prompted to enable macro to view the content. The name of the sheet is “Лист1”, which in Ukrainian means “Sheet1.” According to BleepingComputer, this could be a clear indicator that Locky’s developer is from Ukraine.

As soon as the victim enables the malicious macros, a VBA macro will download a DLL (Dynamic-link library) file and load it using Windows’ legitimate Rundll32.exe program. The downloaded file (which is saved in the %Temp% folder) doesn’t show the DLL extension because it has been renamed, but it will work as any such library was intended to work.

This behavior has been associated with Locky before, especially since the ransomware was seen spreading via DLL files earlier this year, but isn’t limited to this malware family alone. In the case of this Locky variant, the DLL name and the export used to install the threat might vary from one infection to another, researchers say.

Advertisement. Scroll to continue reading.

Once installed on the victim’s computer, however, Locky would behave the same as before: it would search the local drives and network shares for files to encrypt. The ransomware would rename the encrypted files and also appends the .osiris extension to them.

As soon as the encryption process has been completed, Locky drops a ransom note to inform the victim on what happened to their files. The ransom note’s name has been specifically tailored for the new OSIRIS variant, the researchers say.

To stay protected, users should avoid downloading attachments coming from sources they don’t recognize. They should also pay attention to macro-enabled documents, as they often hide malware. Installing an anti-malware solution and keeping it updated at all times should also help prevent infections from happening.

Related: Fake ISP Complaint Emails Distribute Locky Ransomware Variant

Related: OPM-Impersonating Spam Emails Distribute Locky Ransomware

Related: Locky Ransomware Fuels Surge in .RAR, JavaScript Attachments

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...