Osiris ransomware emerges, leveraging BYOVD technique to kill security tools

Researchers identified a new Osiris ransomware used in a November 2025 attack, abusing the POORTRY driver via BYOVD to disable security tools.

Symantec and Carbon Black researchers uncovered a new ransomware strain named Osiris, used in a November 2025 attack against a major Southeast Asian food service franchise operator.

The attackers deployed a malicious driver, POORTRY, abusing the BYOVD technique to disable security software, according to Symantec and VMware Carbon Black threat hunters.

Little is known about Osiris’ developers or whether it’s offered as RaaS, but evidence suggests links to INC ransomware actors.

“While this Osiris ransomware shares a name with a ransomware family from 2016, which was a variant of the Locky ransomware, there is no indication that there is any link between these two families.” reads the report published by Symantec and Carbon Black.

Osiris appears to be a new ransomware strain unrelated to the 2016 Locky-based variant of the same name. The developers and any RaaS model remain unknown, but Broadcom researchers found signs linking the attackers to the INC (Warble) ransomware group.

Osiris is a full-featured ransomware with capabilities to stop services and processes, select files and folders to encrypt, and drop a ransom note. The researchers report that it supports multiple command-line options to define targets, logging, encryption mode (partial or full), and Hyper-V handling. The new ransomware family skips specific file types and system folders, appends a .Osiris extension to encrypted files, deletes VSS snapshots, and terminates database, backup, and productivity processes. The malware uses hybrid ECC and AES-128-CTR encryption with a unique key per file, manages async I/O via completion ports, and leaves an Osiris-MESSAGE.txt ransom note with extortion details and negotiation links.

The attack chain began days before ransomware deployment, when attackers quietly stole data using Rclone and uploaded it to a Wasabi cloud storage bucket. This method, along with reused tools like a Mimikatz variant named kaz.exe, mirrors past Inc ransomware operations, suggesting either imitation or involvement by a former Inc affiliate.

“The attackers also deployed other dual-use tools like Netscan, Netexec, and MeshAgent. They also used a custom version of the Rustdesk remote monitoring and management (RMM) tool, which was modified to masquerade its functionality and to include the file description of “WinZip Remote Desktop” and the WinZip icon in an effort to hide its true use.” continues the report.

The attackers used common dual-use tools for network discovery and access, plus a modified RustDesk remote tool disguised as “WinZip Remote Desktop” to hide its purpose. To disable defenses, they deployed the Poortry (Abyssworker) driver, posing as a Malwarebytes component, in a bring-your-own-vulnerable-driver (BYOVD) attack to shut down security software. KillAV was also used for this purpose. Finally, they enabled RDP to maintain remote access before launching the ransomware.

Osiris is a capable new ransomware used by skilled threat actors. The researchers highlight that tool reuse and tactics suggest possible links to Inc affiliates and Medusa activity, though attribution remains unclear.

“With the constant shifting sands of the ransomware landscape, the emergence of a new ransomware family is always something to keep an eye on.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)