Osiris Ransomware – New Strain Using POORTRY Driver in BYOVD Attack

January 23, 2026 Faeem BLOGS 0

Researchers have disclosed details of Osiris, a new ransomware family that emerged in late 2025, targeting a major food service franchisee in Southeast Asia. Unlike the older Locky-derived Osiris variant from 2016, this strain is brand new and leverages advanced techniques including Bring Your Own Vulnerable Driver (BYOVD) with a custom malicious driver called POORTRY.

Key Characteristics

  • Malicious driver (POORTRY):
    • Designed specifically to elevate privileges and terminate security tools.
    • Different from traditional BYOVD attacks that rely on legitimate-but-vulnerable drivers.
  • Encryption payload:
    • Hybrid encryption scheme.
    • Unique key per file.
    • Can stop services, terminate processes, specify folders/extensions, and drop ransom notes.
  • Process killing: Targets Microsoft Office, Exchange, Firefox, WordPad, Notepad, Veeam, and Volume Shadow Copy services.
  • Data exfiltration:
    • Sensitive data stolen via Rclone to Wasabi cloud buckets before encryption.
  • Dual-use tools: Attackers deployed Netscan, Netexec, MeshAgent, and a custom Rustdesk remote desktop build.
  • Persistence: RDP enabled for remote access; KillAV tool also deployed to terminate defenses.

Attribution & Links

  • Potential ties to INC ransomware (Warble):
    • Use of Mimikatz (kaz.exe) with identical filename seen in INC campaigns.
    • Similar exfiltration and tooling patterns.
  • Experienced operators: Attack shows signs of seasoned attackers with knowledge of living-off-the-land techniques and advanced evasion.

Ransomware Landscape (2025–2026)

  • Ransomware attacks in 2025: 4,737 incidents (up 0.8% from 2024).
  • Active groups: Akira, Qilin, Play, INC, SafePay, RansomHub, DragonForce, Sinobi, Rhysida, CACTUS.
  • Notable developments:
    • Akira: Used Throttlestop driver for BYOVD, exploited SonicWall SSL VPNs, and ClickFix CAPTCHA lures.
    • LockBit 5.0: Introduced two-stage deployment model for modularity and evasion.
    • Sicarii: New RaaS operation, possibly a false flag (Israeli/Jewish identity but Russian activity).
    • Storm-2603: Leveraged Velociraptor DFIR tool and BYOVD drivers (rsndispot.sys, kl.sys).
    • Makop: Exploited insecure RDP, used BYOVD drivers (hlpdrv.sys, ThrottleStop.sys), delivered via GuLoader.
    • Obscura: Flaw in encryption process makes large files permanently unrecoverable.
    • 01flip: Rust-based ransomware targeting Windows/Linux, exploiting CVE-2019-11580.

Defensive Recommendations

  • Monitor dual-use tools: Netscan, MeshAgent, Rustdesk, Rclone.
  • Restrict RDP access: Disable or enforce MFA.
  • Application allowlisting: Block unauthorized drivers and executables.
  • Backup strategy: Maintain off-site, immutable backups.
  • Driver monitoring: Detect attempts to load unsigned or suspicious kernel drivers.
  • Threat hunting: Look for POORTRY driver activity and anomalous cloud storage exfiltration.

Takeaway

Osiris represents a new generation of ransomware that blends custom BYOVD drivers, hybrid encryption, and stealthy exfiltration. Its links to INC ransomware suggest experienced operators are behind it, and its reliance on trusted Windows features and dual-use tools makes detection harder. Organizations must harden RDP, monitor driver activity, and enforce strict backup policies to defend against this evolving threat.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.