Emergence of Osiris Ransomware: A Sophisticated Threat Leveraging Dual-Use Tools
In November 2025, a formidable new ransomware variant named Osiris surfaced, targeting a prominent food service company in Southeast Asia. This malware is distinct from the similarly named ransomware identified in 2016, representing a fresh and sophisticated threat in the cybersecurity landscape.
Advanced Attack Techniques
The Osiris ransomware campaign showcases a high level of sophistication, employing a blend of legitimate system utilities and malicious tools to infiltrate networks, establish persistence, and deploy its payload. This strategy underscores the evolving tactics of cybercriminals who exploit everyday Windows utilities alongside custom-developed malware to evade detection and circumvent security measures.
Toolset and Methodology
Security researchers have observed that the attackers utilized a combination of tools to achieve their objectives:
– Credential Extraction: The attackers employed Mimikatz, a well-known tool for extracting credentials, specifically using a version named kaz.exe that previous Inc attackers utilized.
– Data Exfiltration: Rclone was used to exfiltrate data prior to encryption, with the stolen information uploaded to Wasabi cloud storage buckets.
– Network Scanning and Remote Access: Tools such as Netexec, Netscan, and a modified version of Rustdesk remote management software, disguised as WinZip, were deployed to maintain network access and facilitate lateral movement within the compromised environment.
Exploitation of Malicious Drivers
A particularly concerning aspect of the Osiris attack is the deployment of a malicious driver known as Poortry, also referred to as Abyssworker. This custom driver masqueraded as legitimate Malwarebytes software to deceive administrators. The attackers utilized this driver in a bring-your-own-vulnerable-driver (BYOVD) attack, allowing them to disable security software by exploiting kernel-level access.
BYOVD attacks have become a favored technique among ransomware operators aiming to neutralize endpoint defenses. By deploying signed vulnerable drivers, attackers can escalate privileges and terminate security processes without raising immediate suspicion. The development of Poortry by the attackers themselves, rather than relying on existing vulnerable code, indicates a high level of sophistication within the threat group.
Encryption Mechanism and Impact
Osiris employs advanced hybrid encryption, combining Elliptic Curve Cryptography (ECC) and AES-128-CTR, generating unique keys for each encrypted file. The ransomware terminates databases and backup services while deleting volume snapshots to prevent recovery, effectively crippling the victim’s ability to restore their systems without paying the ransom.
Implications and Recommendations
The emergence of Osiris underscores the increasing complexity and sophistication of ransomware threats. Organizations are advised to implement comprehensive security measures, including regular system updates, employee training on phishing and social engineering tactics, and the deployment of advanced endpoint detection and response solutions. Additionally, maintaining up-to-date backups stored offline can significantly mitigate the impact of such attacks.
