RSA-2048 still on my computer

[Denizen151]

I downloaded the ransom malwarebytes and it says I am protected but I still have the Rsa-2048 on my computer. Any help or suggestions? I did a restore but it couldnt finish.

[Aura]

Hi Denizen151

I understand that you've been infected with a ransomware. Can you upload a ransom note or an encrypted file to ID-Ransomware, and copy/paste the result it returns you here after?

https://id-ransomware.malwarehunterteam.com/

[Denizen151]

Here is a picture of it, that's all I know how to do.  It had me locked out of safemode but I managed to get back in it

I upgraded to mbam 3 but it didn't help

 

[Aura]

Looks like you have been infected with a variant of Locky, though I cannot say which one. Do you know the extension that has been appended to your encrypted files?

[Denizen151]

It says it is an OSIRIS file. If that's what you're talking about

[Denizen151]

I'm sorry but I really just don't know very much about this stuff

[Aura]

Looks like you've been infected with the Osiris variant of Locky then. Sadly, there's no way to decrypt the files encrypted with this variant for free. The best you can do is to back them up and wait for a solution to be found in the future.

https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-egyptian-mythology-with-the-osiris-extension/

[Denizen151]

Can you let me know if you ever figure out a way to get rid of it? 

[Aura]

If you're talking about getting rid of the ransom notes, you can do so easily using RansomNoteCleaner.

https://www.bleepingcomputer.com/forums/t/617257/ransomnotecleaner-remove-ransom-notes-left-behind/

If you're talking about decrypting your encrypted files for free, if a solution is ever found and I remember this thread, I can post in it. Otherwise, you would have to follow the development of the Locky ransomware and its variants.

[Denizen151]

Thank you very much!

[Aura]

No problem, you're welcome

[Denizen151]

When I try to download The Ransom note from  bleeping computer cleaner my Chrome and my Internet Explorer won't let me download it and says it has a malicious download in it? 

[Aura]

It's a false positive. RansomNoteCleaner is a legitimate program created by demonslay335, which created many decryptors for Ransomware. You can tell Internet Explorer and Chrome to keep the download even if they flag it as malicious.

[Denizen151]

How do I do that? It only gives me the option to dismiss it

[Aura]

Click on the Settings button in Google Chrome and then Downloads. From there, you'll see your deleted download and you'll have the option to recover it.

[Denizen151]

Okay I got it open and ran the program but I still have the ransom note on my desktop.   it found around a 170 things and I deleted them but it didn't affect the note

[Aura]

What's the name of the ransom note?

[Denizen151]

Osiris.   also I just upgraded My malwarebytes  and it says I need to activate the license but I should have 268 days left on my premium account

[Aura]

Files that have the .osiris extension are files that got encrypted by Locky, they aren't ransom notes. I think the ransom notes are now named like this:

Quote

DesktopOSIRIS.bmp, DesktopOSIRIS.htm, OSIRIS-[4_numbers].htm, and OSIRIS-[4_numbers].htm.

https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-egyptian-mythology-with-the-osiris-extension/

[Denizen151]

So is malwarbytes working on a fix for this? why didn't my premium version catch it before it infected my computer?

[Aura]

What fix are you referring to?

Also, did you download and install Malwarebytes Premium after being infected, or were you running it at the time of the infection?

[Denizen151]

A fix for the Osiris virus I have.  Yes I was already running the premium version of malewarbytes when I was infected 

[Aura]

The only way to "fix" this is for someone to release a decrypter for files encrypted with the Osiris variant of Locky. Unfortunately, I doubt Malwarebytes is working on one, since no Locky variants have been broke to my knowledge. You can be sure that there's other security vendors working on a decrypter, but without the keys and/or a flaw in the encryption process, a decrypter cannot be made.

And do you know how you were infected exactly? Via a program you installed, a file you downloaded from the web, an Excel attachment you opened in an email and enabled the macro? The latter is how the Osiris variant of Locky spreads.

[AdvancedSetup]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.