A newly discovered ransomware family, Osiris, targeted a major foodservice franchisee in Southeast Asia in November 2025.
Despite sharing a name with a 2016 Locky ransomware variant, security researchers confirm this represents an entirely new threat with no connection to its predecessor.
However, evidence suggests potential links to threat actors previously associated with Inc ransomware operations.
The attackers employed extensive living off the land binaries (LOLBins) and dual-use tools throughout their campaign.
Notably, they leveraged the malicious Poortry driver in a bring-your-own-vulnerable-driver (BYOVD) attack to turn off security software on compromised systems.
The Symantec and Carbon Black Threat Hunter Team investigation revealed Osiris as a unique ransomware family with unknown developers and unclear operational structure.
Several tactical overlaps with the Inc ransomware operations emerged during the investigation. Attackers exfiltrated stolen data to Wasabi cloud storage buckets, a technique previously observed in Inc ransomware attacks from October 2025.
Additionally, the threat actors deployed Mimikatz using the identical filename “kaz.exe” that Inc ransomware operators previously used, suggesting either tactical emulation or direct involvement of former Inc affiliates.
Ransomware Technical Capabilities
Osiris exhibits standard ransomware functionality including service termination, selective folder and file extension encryption, process killing, and ransom note deployment.
The malware accepts multiple command-line parameters for customized operations: log file specification, file and directory path encryption targets, Hyper-V VM disabling with configuration deletion, VM-specific skipping, and encryption mode selection between partial (“head”) or complete (“full”) file encryption.
The ransomware strategically excludes specific file types from encryption including executables (.exe, .dll, .msi), media files (.mp4, .mp3, .mov, .avi), system files (.sys, .inf), and critical Windows directories such as Windows, PerfLogs, ProgramData, and System Volume Information.
Following encryption completion, Osiris appends the Osiris extension to affected files and deletes system snapshots using Volume Shadow Copy Service (VSS).
Osiris terminates database and productivity application processes including SQL, Oracle, MySQL, Microsoft Office applications (Excel, Word, Outlook, PowerPoint), communication tools (Firefox, Thunderbird), and system services.
The ransomware implements a hybrid encryption scheme combining Elliptic Curve Cryptography (ECC) with AES-128-CTR. Each encrypted file receives a unique AES key, while completionIOPort manages asynchronous input/output requests during encryption operations.
The malware also stops critical services like VSS, SQL services, Microsoft Exchange, and backup solutions including Veeam and GxVss.
Victims receive a ransom note titled “Osiris-MESSAGE.txt” containing stolen data claims and a negotiation chat link.
Initial suspicious activity appeared several days before ransomware deployment when attackers used Rclone to exfiltrate data to Wasabi cloud storage buckets.
The threat actors deployed multiple dual-use tools including Netscan for network reconnaissance, Netexec for lateral movement, and MeshAgent for remote access.
Notably, attackers used a customized Rustdesk remote monitoring and management tool, modified to masquerade as “WinZip Remote Desktop” complete with WinZip iconography to evade detection.
The attackers deployed the Abyssworker/Poortry malicious driver, disguised as a Malwarebytes anti-exploit driver, to execute a BYOVD attack for security software disablement.
Google’s Mandiant first documented Poortry in 2022, with subsequent usage in Medusa ransomware campaigns throughout 2024 and 2025. Poortry typically operates alongside the Stonestop loader, which installs the driver and directs its actions on victim machines.
BYOVD represents the most prevalent defense impairment technique among ransomware operators currently.
Attackers typically deploy signed vulnerable drivers that operate with kernel-mode access, enabling privilege escalation, security software termination, and process disruption.
Poortry differs from conventional BYOVD drivers as evidence suggests attackers developed it specifically for malicious purposes and successfully obtained legitimate code signing. Most BYOVD attacks exploit existing legitimate vulnerable drivers rather than custom-developed malicious drivers.
The attackers also deployed KillAV, a specialized tool for deploying vulnerable drivers to terminate security processes, and enabled Remote Desktop Protocol (RDP) for persistent remote access capability.
The full impact of Osiris ransomware on the broader threat landscape remains uncertain. However, the malware demonstrates effective encryption capabilities wielded by experienced operators.
Tactical overlaps with Inc ransomware operations particularly Wasabi cloud storage usage and identical Mimikatz deployment patterns indicate potential connections to that group or its affiliates.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.