A new ransomware strain named Osiris has surfaced in the threat landscape, following a documented attack against a major food service operator in Southeast Asia during late 2025. While it shares a moniker with a 2016 variant of Locky, researchers from Symantec and Carbon Black have clarified that this is a distinct, standalone family. The malware exhibits sophisticated operational characteristics, suggesting it may be the work of experienced threat actors rather than a novice group.
Technical Capabilities and Encryption Methods
Osiris utilizes a hybrid encryption architecture, combining Elliptic Curve Cryptography (ECC) with AES-128-CTR. To optimize performance and handle high volumes of data, the ransomware employs completionIOPort for asynchronous I/O management. Its functionality is comprehensive, allowing the malware to terminate specific services, halt processes, and delete Volume Shadow Copies (VSS) to prevent easy data recovery. Files encrypted by the malware receive the .Osiris extension, and victims are provided with a ransom note titled Osiris-MESSAGE.txt containing negotiation instructions.
The ransomware supports several command-line arguments to tailor its execution:
- log: Defines a specific path for activity logging.
- file/path: Directs encryption toward specific files or directories.
- hyperv/hyperv-skip: Manages actions regarding Hyper-V virtual machines and configurations.
- mode: Toggles between partial (“head”) or full file encryption.
Evasion Tactics and Defense Impairment
The attackers behind Osiris employ a “Bring Your Own Vulnerable Driver” (BYOVD) strategy to neutralize security software. This involves the deployment of the Poortry (or Abyssworker) driver, a signed but malicious component that operates with kernel-level privileges. This driver has previously been linked to the Medusa ransomware gang. By exploiting this driver, the attackers can forcefully terminate security processes that would otherwise block the encryption routine.
In addition to kernel-level attacks, the group uses modified legitimate software to maintain access. During recent campaigns, they deployed a customized version of the Rustdesk remote management tool. This version was altered to masquerade as “WinZip Remote Desktop,” complete with a WinZip icon, to avoid detection by IT administrators and automated security scanners.
Connections to Established Threat Actors
Analysis of the Osiris attack chain has revealed significant overlaps with Inc ransomware operations. Investigators noted that the data exfiltration phase utilized Wasabi cloud storage buckets, a tactic previously observed in Inc campaigns. Furthermore, the use of a specific Mimikatz build named “kaz.exe” mirrors tools used by Inc affiliates. These commonalities suggest that Osiris may be operated by former Inc affiliates or that the group is intentionally emulating the tactics, techniques, and procedures (TTPs) of more established ransomware organizations.
Conclusion
The arrival of Osiris highlights the ongoing evolution of ransomware tactics, specifically the increasing reliance on BYOVD techniques to bypass modern endpoint protection. While the group’s exact origins remain unconfirmed, the sophisticated use of dual-use tools and modified remote access software indicates a high level of operational maturity. Organizations should prioritize the monitoring of vulnerable drivers and unauthorized remote management tools to defend against this emerging threat.