Emergence of Osiris Ransomware: A New Cyber Threat Leveraging Advanced Techniques
In November 2025, cybersecurity experts identified a new ransomware strain named Osiris, which targeted a major food service franchise operator in Southeast Asia. This sophisticated malware employs advanced tactics, including the bring your own vulnerable driver (BYOVD) technique, to disable security defenses and encrypt critical data.
Distinct Identity from Previous Variants
Despite sharing its name with earlier threats—the Locky-Osiris ransomware variant from 2016-2017 and the Osiris banking trojan—this new Osiris ransomware is an entirely distinct entity. It exhibits no code similarities with its predecessors, indicating a novel development in the ransomware landscape.
Technical Sophistication and Attack Methodology
Osiris demonstrates a high level of technical sophistication. It utilizes a malicious driver known as POORTRY to execute the BYOVD attack, effectively disabling security software and facilitating the encryption of files. The ransomware employs a hybrid encryption scheme, combining Elliptic Curve Cryptography (ECC) with AES-128-CTR, ensuring robust encryption of the victim’s data.
The malware is designed to terminate a wide array of processes and services, including those related to Microsoft Office applications, database management systems like SQL and Oracle, and backup solutions such as Veeam. This strategic termination prevents recovery efforts and maximizes the impact of the attack.
Command-Line Flexibility and Targeted Encryption
Osiris accepts multiple command-line parameters, allowing attackers to customize its operations. These parameters include specifying log files, targeting specific files and directories for encryption, disabling Hyper-V virtual machines, and selecting between partial or full file encryption modes. Notably, the ransomware excludes certain file types from encryption, such as executables, media files, system files, and critical Windows directories, to maintain system operability and avoid detection.
Data Exfiltration and Ransom Demands
Prior to encrypting data, Osiris exfiltrates sensitive information to external cloud storage services, such as Wasabi buckets. This double extortion tactic involves threatening to publish the stolen data unless the ransom is paid, increasing pressure on the victim to comply with the attackers’ demands.
Victims receive a ransom note titled Osiris-MESSAGE.txt, which contains claims of stolen data and provides a link to a negotiation chat. This approach aligns with established ransomware data broker patterns, where attackers list victims and threaten data publication to coerce payment.
Potential Links to Previous Ransomware Operations
Investigations suggest potential links between the Osiris ransomware and previous ransomware operations, such as INC ransomware (also known as Warble). Similarities include the use of the same version of Mimikatz with the filename kaz.exe and the exfiltration of data to Wasabi buckets. These connections indicate that the threat actors behind Osiris may have prior experience in deploying ransomware attacks.
Notable Incidents and Victim Profiles
Osiris has been implicated in several high-profile attacks. In December 2025, the ransomware group claimed responsibility for an attack on The Araneta Group, a diversified conglomerate in the Philippines. The attackers threatened to release sensitive data unless negotiations were initiated. Similarly, American Vanguard Corporation, a U.S.-based manufacturer specializing in agricultural chemicals, was identified as a victim of an Osiris ransomware incident.
Recommendations for Mitigation and Prevention
Given the advanced techniques employed by Osiris, organizations are advised to implement comprehensive cybersecurity measures to mitigate the risk of infection. Key recommendations include:
– Regular Software Updates: Ensure all systems and software are up-to-date to patch known vulnerabilities that could be exploited by ransomware.
– Endpoint Detection and Response (EDR): Deploy EDR solutions capable of detecting and responding to malicious activities, including the use of unauthorized drivers.
– Network Segmentation: Implement network segmentation to limit the spread of ransomware within an organization.
– User Training: Conduct regular training sessions to educate employees about phishing attacks and the importance of not enabling macros in unsolicited documents.
– Data Backup: Maintain regular backups of critical data and ensure they are stored offline or in a manner that prevents them from being targeted by ransomware.
Conclusion
The emergence of the Osiris ransomware underscores the evolving nature of cyber threats and the increasing sophistication of ransomware attacks. By leveraging advanced techniques such as BYOVD and double extortion, Osiris poses a significant risk to organizations worldwide. Proactive cybersecurity measures and vigilance are essential to defend against such threats and to protect sensitive data from compromise.
