A newly found ransomware household, Osiris, focused a significant foodservice franchisee in Southeast Asia in November 2025.
Regardless of sharing a reputation with a 2016 Locky ransomware variant, safety researchers affirm this represents a wholly new menace with no connection to its predecessor.
Nevertheless, proof suggests potential hyperlinks to menace actors beforehand related to Inc ransomware operations.
The attackers employed intensive dwelling off the land binaries (LOLBins) and dual-use instruments all through their marketing campaign.
Notably, they leveraged the malicious Poortry driver in a bring-your-own-vulnerable-driver (BYOVD) assault to show off safety software program on compromised programs.
The Symantec and Carbon Black Menace Hunter Group investigation revealed Osiris as a novel ransomware household with unknown builders and unclear operational construction.
A number of tactical overlaps with the Inc ransomware operations emerged throughout the investigation. Attackers exfiltrated stolen knowledge to Wasabi cloud storage buckets, a way beforehand noticed in Inc ransomware assaults from October 2025.
Moreover, the menace actors deployed Mimikatz utilizing the an identical filename “kaz.exe” that Inc ransomware operators beforehand used, suggesting both tactical emulation or direct involvement of former Inc associates.
Ransomware Technical Capabilities
Osiris displays customary ransomware performance together with service termination, selective folder and file extension encryption, course of killing, and ransom notice deployment.
The malware accepts a number of command-line parameters for custom-made operations: log file specification, file and listing path encryption targets, Hyper-V VM disabling with configuration deletion, VM-specific skipping, and encryption mode choice between partial (“head”) or full (“full”) file encryption.
The ransomware strategically excludes particular file sorts from encryption together with executables (.exe, .dll, .msi), media recordsdata (.mp4, .mp3, .mov, .avi), system recordsdata (.sys, .inf), and significant Home windows directories similar to Home windows, PerfLogs, ProgramData, and System Quantity Data.
Following encryption completion, Osiris appends the Osiris extension to affected recordsdata and deletes system snapshots utilizing Quantity Shadow Copy Service (VSS).
Osiris terminates database and productiveness utility processes together with SQL, Oracle, MySQL, Microsoft Workplace functions (Excel, Phrase, Outlook, PowerPoint), communication instruments (Firefox, Thunderbird), and system providers.
The ransomware implements a hybrid encryption scheme combining Elliptic Curve Cryptography (ECC) with AES-128-CTR. Every encrypted file receives a novel AES key, whereas completionIOPort manages asynchronous enter/output requests throughout encryption operations.
The malware additionally stops crucial providers like VSS, SQL providers, Microsoft Change, and backup options together with Veeam and GxVss.
Victims obtain a ransom notice titled “Osiris-MESSAGE.txt” containing stolen knowledge claims and a negotiation chat hyperlink.
Preliminary suspicious exercise appeared a number of days earlier than ransomware deployment when attackers used Rclone to exfiltrate knowledge to Wasabi cloud storage buckets.
The menace actors deployed a number of dual-use instruments together with Netscan for community reconnaissance, Netexec for lateral motion, and MeshAgent for distant entry.
Notably, attackers used a custom-made Rustdesk distant monitoring and administration software, modified to masquerade as “WinZip Distant Desktop” full with WinZip iconography to evade detection.
The attackers deployed the Abyssworker/Poortry malicious driver, disguised as a Malwarebytes anti-exploit driver, to execute a BYOVD assault for safety software program disablement.
Google’s Mandiant first documented Poortry in 2022, with subsequent utilization in Medusa ransomware campaigns all through 2024 and 2025. Poortry usually operates alongside the Stonestop loader, which installs the driving force and directs its actions on sufferer machines.
BYOVD represents essentially the most prevalent protection impairment method amongst ransomware operators presently.
Attackers usually deploy signed susceptible drivers that function with kernel-mode entry, enabling privilege escalation, safety software program termination, and course of disruption.
Poortry differs from standard BYOVD drivers as proof suggests attackers developed it particularly for malicious functions and efficiently obtained legit code signing. Most BYOVD assaults exploit present legit susceptible drivers relatively than custom-developed malicious drivers.
The attackers additionally deployed KillAV, a specialised software for deploying susceptible drivers to terminate safety processes, and enabled Distant Desktop Protocol (RDP) for persistent distant entry functionality.
The complete impression of Osiris ransomware on the broader menace panorama stays unsure. Nevertheless, the malware demonstrates efficient encryption capabilities wielded by skilled operators.
Tactical overlaps with Inc ransomware operations notably Wasabi cloud storage utilization and an identical Mimikatz deployment patterns point out potential connections to that group or its associates.
Observe us on Google Information, LinkedIn, and X to Get On the spot Updates and Set GBH as a Most well-liked Supply in Google.
