Key Findings

• Symantec and VMware Carbon Black researchers have uncovered a new ransomware strain called Osiris, used in a November 2025 attack against a major Southeast Asian food service franchise operator.

• Osiris leverages the POORTRY driver in a bring-your-own-vulnerable-driver (BYOVD) attack to disable security software on targeted systems.

• The new ransomware has full-featured capabilities, including the ability to stop services and processes, select files and folders to encrypt, and leave a ransom note.

• It employs hybrid ECC and AES-128-CTR encryption with a unique key per file, and manages async I/O via completion ports.

• The attackers used common dual-use tools for network discovery and access, plus a modified RustDesk remote tool disguised as "WinZip Remote Desktop" to hide its true purpose.

Background

While Osiris shares a name with a 2016 ransomware variant of Locky, there is no indication of any link between the two families. The developers of the new Osiris ransomware, as well as whether it is offered as a Ransomware-as-a-Service (RaaS) model, remain unknown.

However, researchers found signs linking the Osiris attackers to the INC (Warble) ransomware group, based on the reuse of tools and tactics similar to past INC operations.

Osiris Ransomware Capabilities

Osiris is a full-featured ransomware with the following key capabilities:

• Stops services and processes

• Selects files and folders to encrypt

• Appends a ".Osiris" extension to encrypted files

• Deletes VSS snapshots

• Terminates database, backup, and productivity processes

The malware uses a hybrid encryption approach, combining ECC and AES-128-CTR, with a unique key per file. It also manages async I/O via completion ports.

Attack Chain and Tactics

The attack chain began with the attackers quietly stealing data using Rclone and uploading it to a Wasabi cloud storage bucket, days before the ransomware deployment. This method, along with the reuse of tools like a Mimikatz variant named kaz.exe, mirrors past INC ransomware operations.

The attackers also deployed other dual-use tools like Netscan, Netexec, and MeshAgent, as well as a custom version of the Rustdesk remote monitoring and management (RMM) tool, disguised as "WinZip Remote Desktop".

To disable security defenses, the Osiris attackers deployed the POORTRY (Abyssworker) driver, posing as a Malwarebytes component, in a BYOVD attack. They also used the KillAV tool for this purpose.

Finally, the attackers enabled RDP to maintain remote access before launching the ransomware.

Conclusion

The emergence of the new Osiris ransomware, with its sophisticated techniques and possible links to the INC ransomware group, underscores the constant evolution of the ransomware landscape. Cybersecurity professionals must remain vigilant and stay up-to-date on the latest threats to effectively protect their organizations.

Sources

• https://securityaffairs.com/187279/security/osiris-ransomware-emerges-leveraging-byovd-technique-to-kill-security-tools.html

• https://x.com/shah_sheikh/status/2015140986758766696

• https://www.socdefenders.ai/item/26c1fcac-804e-4173-8631-98bab01e9154

• https://thehackernews.com/2026/01/new-osiris-ransomware-emerges-as-new.html