Osiris Ransomware Uses Living off the Land & Using Wide

In November 2025, a newly discovered ransomware family, dubbed Osiris, launched attacks targeting a major food service company in Southeast Asia.

Security researchers have identified this threat as a completely new malware variant with no connection to an older ransomware family that shared the same name in 2016.

The emergence of Osiris marks another addition to the growing number of sophisticated encryption threats targeting critical infrastructure and business operations.

The attack campaign demonstrates advanced tactics commonly associated with experienced threat actors.

Attackers leveraged a diverse toolkit combining legitimate system tools with malicious utilities to infiltrate the victim’s network, establish persistence, and deploy the ransomware payload.

The incident reveals how modern cybercriminals operate by abusing everyday Windows utilities alongside custom-developed malicious software to avoid detection and bypass security controls.

Symantec analysts identified the malware after discovering suspicious patterns matching previously documented Inc ransomware campaigns.

Researchers noted technical overlaps including identical filenames for credential extraction tools and similar data exfiltration methods. The attackers used Rclone to steal data before encryption, uploading stolen information to Wasabi cloud storage buckets.

They employed Mimikatz, a well-known tool for extracting credentials, specifically using a version named kaz.exe that previous Inc attackers utilized.

Exploitation of Malicious Drivers and Defense Bypass

The most concerning aspect of this attack involves the deployment of a malicious driver called Poortry, also known as Abyssworker. This custom driver pretended to be legitimate Malwarebytes software to deceive administrators.

Attackers used this driver in what security experts call a bring-your-own-vulnerable-driver (BYOVD) attack, enabling them to disable security software by exploiting kernel-level access.

BYOVD attacks have become the preferred technique for ransomware operators seeking to neutralize endpoint defenses.

By deploying signed vulnerable drivers, attackers can escalate privileges and terminate security processes without raising immediate suspicion.

Poortry stands out because attackers developed this driver themselves rather than relying on existing vulnerable code, suggesting sophistication within the threat group.

The attackers also deployed additional tools including Netexec, Netscan, and a modified version of Rustdesk remote management software disguised as WinZip to maintain network access.

Osiris itself encrypts files using advanced hybrid encryption combining ECC and AES-128-CTR, with unique keys for each encrypted file.

The ransomware terminates databases and backup services while deleting volume snapshots to prevent recovery. These technical capabilities, combined with the sophisticated attack chain, indicate experienced operators behind this new threat family.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.