Osiris Ransomware

The war between wetware and hardware.
User avatar
Anaxagoras
Posts: 20769
Joined: Wed Mar 19, 2008 5:45 am
Location: Yokohama/Tokyo, Japan
Has thanked: 1311 times
Been thanked: 1092 times

Re: Osiris Ransomware

Post by Anaxagoras » Fri Jan 13, 2017 11:37 am

Don't open any email attachments unless you are 1000% sure it is legit.
A fool thinks himself to be wise, but a wise man knows himself to be a fool.
William Shakespeare

User avatar
ed
Posts: 32424
Joined: Tue Jun 08, 2004 11:52 pm
Title: Trilobite of the Florida swamp
Has thanked: 418 times
Been thanked: 697 times

Re: Osiris Ransomware

Post by ed » Fri Jan 13, 2017 12:16 pm

I still have a copy. I have handled unexploded HE rounds from 100 years ago, touching this gives me the same feeling.
ScreenShot422.jpg
"Clyde Gay" jesus.
Our FedEx driver is named Clive and the day before we arranged for him to pick up our hazmat packages. So my wife seeing "Clyde" thought "Clive" and figured he had a problem with something we had just given him.

Here is the header:


You do not have the required permissions to view the files attached to this post.
Last edited by ed on Sat Jan 14, 2017 1:50 am, edited 2 times in total.
- new minimalist ethos -

User avatar
ed
Posts: 32424
Joined: Tue Jun 08, 2004 11:52 pm
Title: Trilobite of the Florida swamp
Has thanked: 418 times
Been thanked: 697 times

Re: Osiris Ransomware

Post by ed » Fri Jan 13, 2017 12:17 pm

Anaxagoras wrote:Don't open any email attachments unless you are 1000% sure it is legit.
Are you ever? How would you know?
- new minimalist ethos -

User avatar
ed
Posts: 32424
Joined: Tue Jun 08, 2004 11:52 pm
Title: Trilobite of the Florida swamp
Has thanked: 418 times
Been thanked: 697 times

Re: Osiris Ransomware

Post by ed » Fri Jan 13, 2017 12:25 pm

They put an HTM file in every folder that they hack/fuckup/alter whatever. It is the ransom demand. Here it is
ScreenShot423.jpg
You do not have the required permissions to view the files attached to this post.
- new minimalist ethos -

User avatar
Anaxagoras
Posts: 20769
Joined: Wed Mar 19, 2008 5:45 am
Location: Yokohama/Tokyo, Japan
Has thanked: 1311 times
Been thanked: 1092 times

Re: Osiris Ransomware

Post by Anaxagoras » Fri Jan 13, 2017 12:30 pm

Probably not. Not blaming you, it could happen to anyone.

But Gnome asked.
I suppose it's hard to avoid if you have a business to run. But be extra careful about attachments.

I would look into seeing if you can find a professional who knows what to do in these situations.
A fool thinks himself to be wise, but a wise man knows himself to be a fool.
William Shakespeare

User avatar
ed
Posts: 32424
Joined: Tue Jun 08, 2004 11:52 pm
Title: Trilobite of the Florida swamp
Has thanked: 418 times
Been thanked: 697 times

Re: Osiris Ransomware

Post by ed » Fri Jan 13, 2017 12:40 pm

They said that ("They" HA!) that only about 10% of these things get intercepted by malware. I am not sure what a professional could/would do. I will try and decrypt the file on my wifes machine later but ... who knows. Main thing is that I see the limitations of drop box.
- new minimalist ethos -

User avatar
Grammatron
Posts: 32849
Joined: Tue Jun 08, 2004 1:21 am
Location: Los Angeles, CA
Been thanked: 1572 times

Re: Osiris Ransomware

Post by Grammatron » Fri Jan 13, 2017 6:20 pm

ed wrote:
Anaxagoras wrote:Don't open any email attachments unless you are 1000% sure it is legit.
Are you ever? How would you know?
What Anax said can't be stressed enough.

As to your question, there is no blanket answer. For example, FedEx (we ship with them as well) would never send you the label as an attachment just a tracking update with the reason and the email subject "FedEx Shipment <tracking #> Delivery Exception". In fact I am not sure any service providers (shipping, sales portals, payment gateways, and such) send attachment these days for this very reason. Note that the malware only worked as part of social engineering.

The simplest road you can take is constant vigilance and if you ever are unsure of something go directly to that service providers website and check yourself. Sorry this happened to you.
[quote="pillory"]jokes aren't funny....seriously thinking......

seriously thinking might be funny....but it's not joke[/quote]

User avatar
Pyrrho
Posts: 25368
Joined: Sat Jun 05, 2004 2:17 am
Title: Man in Black
Location: Division 6
Has thanked: 2636 times
Been thanked: 2655 times

Re: Osiris Ransomware

Post by Pyrrho » Fri Jan 13, 2017 11:52 pm

FWIW folks, the plaintext version of the email ed posted appears to contain the base64 encode of the malicious payload. Strongly advise that nobody attempt to decode that base64 block. Just sayin'.

In fact it might be prudent to remove the plaintext of the malicious email entirely, as it also contains domain names that are very likely malicious.

ETA: Confirmed. https://sitecheck.sucuri.net/results/ar ... series.com
The flash of light you saw in the sky was not a UFO. Swamp gas from a weather balloon was trapped in a thermal pocket and reflected the light from Venus.

User avatar
Pyrrho
Posts: 25368
Joined: Sat Jun 05, 2004 2:17 am
Title: Man in Black
Location: Division 6
Has thanked: 2636 times
Been thanked: 2655 times

Re: Osiris Ransomware

Post by Pyrrho » Sat Jan 14, 2017 12:26 am

ed, could you remove that email, if only because you're exposing your own email address to the wide world? Email harvesters abound, and you'll find even more spam and malicious emails in your inbox as a result.
The flash of light you saw in the sky was not a UFO. Swamp gas from a weather balloon was trapped in a thermal pocket and reflected the light from Venus.

User avatar
Captain
Posts: 232
Joined: Thu Aug 23, 2012 11:47 pm
Title: Captain
Location: On the verandah in the cool breeze.
Has thanked: 7 times
Been thanked: 31 times

Re: Osiris Ransomware

Post by Captain » Sat Jan 14, 2017 12:34 am

Hated to do it but I edited the post to remove the base64 encoded payload.
You run one time, you got yourself a set of chains. You run twice you got yourself two sets. You ain't gonna need no third set, 'cause you gonna get your mind right.

User avatar
ed
Posts: 32424
Joined: Tue Jun 08, 2004 11:52 pm
Title: Trilobite of the Florida swamp
Has thanked: 418 times
Been thanked: 697 times

Re: Osiris Ransomware

Post by ed » Sat Jan 14, 2017 1:51 am

me too ... how is that possible?
- new minimalist ethos -

User avatar
Grammatron
Posts: 32849
Joined: Tue Jun 08, 2004 1:21 am
Location: Los Angeles, CA
Been thanked: 1572 times

Re: Osiris Ransomware

Post by Grammatron » Sat Jan 14, 2017 2:11 am

Perhaps a good analogy for you ed...I assume as an avid 2nd amendment abider and enthusiast, you are well trained and prepared for home defense in case of unthinkable. As such, if some stranger company uniformed or otherwise would present themselves at your doorstep you would no doubt treat a fellow human being as a gentleman, yet you would also no doubt be prepared to ensure the safety of you and yours. I further assume that your wife shares similar abilities and sufficient training. If you both extend such cautious pleasantries to your PCs, tablet, phones, and other electronic devices, a chance for such incidents would decrease.

Complacency is always the enemy.
[quote="pillory"]jokes aren't funny....seriously thinking......

seriously thinking might be funny....but it's not joke[/quote]

User avatar
Doctor X
Posts: 66427
Joined: Fri Jun 04, 2004 8:09 pm
Title: Collective Messiah
Location: Your Mom
Has thanked: 3187 times
Been thanked: 2017 times

Re: Osiris Ransomware

Post by Doctor X » Sat Jan 14, 2017 4:34 am

If anyone has waded through the PC SUX NO!!!! MAC SUCKS!!! betwixt The Great Unwashed Gram, Asthmatic on the Loser FAG side and others like NightG1 and Myself over the years, the number one barrier to DISASTER be it Image to "Why is My Hard Drive 'Clicking?'" is the user. Period.

For example, whilst there is still no Image against Mac OS X--and, no ImageGram, do not conjure up that one for OS 6 made like ten years after it was obsolete--there was ransomware against Mac OS X Image though its scope appears highly limited and it was fixed.

The one thing a PC user has over a Mac user aside from crippling genital odor is familiarity. A PC user has to have an anti-virus program. A PC user has to be aware of malware--which can affect Macs Image! Mac users fall victim to malware because they think they cannot "be infected" when that . . . um . . . nature site announces you need to download the "latest Adobe" from a url in Vietnam . . . and a "video codec" from Stalingrad St. Petersberg and they run it.

As others note, this is "reverse engineering." Hell, years ago when Phishing first started to become a thing I recall panicking for a moment when My Bank sent me a UR ABOUT TO HAVE YOUR ACCONT CAESED with a url that sent me to a page to enter my details . . . until I calmed down and wondered why the e-mail did not go to my professional account--"I told my bank about assmaster2001@fuckboy.com?"--why it came from China, why the url was in . . . blah . . . blah . . . blah.

I only knew about such things because I, at the time, liked going after 419 scammers.

These things are SUPPOSE to look legit.

Or as I like to note, here is the virus I have written for a Mac that will erase any hard drive:
  • 1. Copy all of these instructions and send them to everyone you know.
    2. Boot your computer from an External Drive.
    3. Open Disk Utility
    4. Choose Your Internal Drive
    5. Click "Erase"
    6. Keep clicking "Are You Sure."
    7. Profit
--J.D.
Mob of the Mean: Free beanie, cattle-prod and Charley Fan Club!
"Doctor X is just treating you the way he treats everyone--as subhuman crap too dumb to breathe in after you breathe out."--Don
DocX: FTW.--sparks
"Doctor X wins again."--Pyrrho
"Never sorry to make a racist Fucktard cry."--His Humble MagNIfIcence
"It was the criticisms of Doc X, actually, that let me see more clearly how far the hypocrisy had gone."--clarsct
"I'd leave it up to Doctor X who has been a benevolent tyrant so far."--Grammatron
"Indeed you are a river to your people.
Shit. That's going to end up in your sig."--Pyrrho
"Try a twelve step program and accept Doctor X as your High Power."--asthmatic camel
"just like Doc X said." --gnome

WS CHAMPIONS X3!!! NBA CHAMPIONS!! Stanley Cup! SB CHAMPIONS X5!!!!!

User avatar
ed
Posts: 32424
Joined: Tue Jun 08, 2004 11:52 pm
Title: Trilobite of the Florida swamp
Has thanked: 418 times
Been thanked: 697 times

Re: Osiris Ransomware

Post by ed » Sat Jan 14, 2017 12:46 pm

I am off to the best antique arms show in florida. The stuff I like like the pre ww1 german guns where you can see the designers trying to work out solutions. I would have asked Gnome to go with me, given he is near Tampa and all and I thought that an intervention such as this might put him on the straight and narrow but I figured he'd give me the bird and my ego is not up for that.

I think all is in hand and not because I am clever. Rather, it is only because one machine that has dropbox died before it could be corrupted. If this happened in a Benedict Cumberbatch movies you'd roll your eyes.

I need to assess the damage to my wifes person stuff. That will happen this afternoon.

Thanks again for your advice and kind words, mostly.
- new minimalist ethos -

User avatar
gnome
Posts: 21763
Joined: Tue Jun 29, 2004 12:40 am
Location: New Port Richey, FL
Has thanked: 336 times
Been thanked: 341 times

Re: Osiris Ransomware

Post by gnome » Sat Jan 14, 2017 3:35 pm

Digging a little deeper... a zip file is just a container for another file. Do you happen to recall the file format of what was inside the zip file?
"If fighting is sure to result in victory, then you must fight! Sun Tzu said that, and I'd say he knows a little bit more about fighting than you do, pal, because he invented it, and then he perfected it so that no living man could best him in the ring of honor. Then, he used his fight money to buy two of every animal on earth, and then he herded them onto a boat, and then he beat the crap out of every single one. And from that day forward any time a bunch of animals are together in one place it's called a zoo! (Beat) Unless it's a farm!"
--Soldier, TF2

User avatar
ed
Posts: 32424
Joined: Tue Jun 08, 2004 11:52 pm
Title: Trilobite of the Florida swamp
Has thanked: 418 times
Been thanked: 697 times

Re: Osiris Ransomware

Post by ed » Wed Jan 18, 2017 1:08 pm

Hi. I posted the contents of the zip and then deleted it.
FWIW folks, the plaintext version of the email ed posted appears to contain the base64 encode of the malicious payload. Strongly advise that nobody attempt to decode that base64 block. Just sayin'.
From Pyrrho ..

I wanted you folks that I just got another one
ScreenShot427.jpg
This makes three in a week, all to our business accounts.

Be very careful.
You do not have the required permissions to view the files attached to this post.
- new minimalist ethos -

User avatar
Grammatron
Posts: 32849
Joined: Tue Jun 08, 2004 1:21 am
Location: Los Angeles, CA
Been thanked: 1572 times

Re: Osiris Ransomware

Post by Grammatron » Wed Jan 18, 2017 6:59 pm

That isn't even a USPS' number scheme.
[quote="pillory"]jokes aren't funny....seriously thinking......

seriously thinking might be funny....but it's not joke[/quote]

User avatar
Rob Lister
Posts: 19791
Joined: Sun Jul 18, 2004 7:15 pm
Title: Incipient toppler
Location: Swimming in Lake Ed
Has thanked: 567 times
Been thanked: 578 times

Re: Osiris Ransomware

Post by Rob Lister » Wed Jan 18, 2017 8:36 pm

I want to come clean here. I was responsible for the Osiris Ransomware. Let me help

For ed: To decrypt:
The code-name is Junior
The Password is BR549

If it doesn't work the first time, try it 10 more times

User avatar
ed
Posts: 32424
Joined: Tue Jun 08, 2004 11:52 pm
Title: Trilobite of the Florida swamp
Has thanked: 418 times
Been thanked: 697 times

Re: Osiris Ransomware

Post by ed » Wed Jan 18, 2017 8:43 pm

And if that doesn't work remove the hard drive and freeze overnight.

I have a long memory.
- new minimalist ethos -

User avatar
Rob Lister
Posts: 19791
Joined: Sun Jul 18, 2004 7:15 pm
Title: Incipient toppler
Location: Swimming in Lake Ed
Has thanked: 567 times
Been thanked: 578 times

Re: Osiris Ransomware

Post by Rob Lister » Wed Jan 18, 2017 9:09 pm

ed wrote:And if that doesn't work remove the hard drive and freeze overnight.

I have a long memory.
Fond, no doubt.