Cyber: New Osiris Ransomware Emerges As New Strain Using Poortry Driver In...
Cybersecurity researchers have disclosed details of a new ransomware family called Osiris that targeted a major food service franchisee operator in Southeast Asia in November 2025.
The attack leveraged a malicious driver called POORTRY as part of a known technique referred to as bring your own vulnerable driver (BYOVD) to disarm security software, the Symantec and Carbon Black Threat Hunter Team said.
It's worth noting that Osiris is assessed to be a brand-new ransomware strain, sharing no similarities with another variant of the same name that emerged in December 2016 as an iteration of the Locky ransomware. It's currently not known who the developers of the locker are, or if it's advertised as a ransomware-as-a-service (RaaS).
However, the Broadcom-owned cybersecurity division said it identified clues that suggest the threat actors who deployed the ransomware may have been previously associated with INC ransomware (aka Warble).
"A wide range of living off the land and dual-use tools were used in this attack, as was a malicious POORTRY driver, which was likely used as part of a bring your own vulnerable driver (BYOVD) attack to disable security software," the company said in a report shared with The Hacker News.
"The exfiltration of data by the attackers to Wasabi buckets, and the use of a version of Mimikatz that was previously used, with the same filename (kaz.exe), by attackers deploying the INC ransomware, point to potential links between this attack and some attacks involving INC."
Described as an "effective encryption payload" that's likely wielded by experienced attackers, Osiris makes use of a hybrid encryption scheme and a unique encryption key for each file. It's also flexible in that it can stop services, specify which folders and extensions need to be encrypted, terminate processes, and drop a ransom note.
By default, it's designed to kill a long list of processes and services related to Microsoft Office, Exchange, Mozilla Firefox, WordPad, Notepad, Volume Shadow Copy, and Veeam, among others.
First signs of malicious activity on the target's network involved the exfiltration of sensitive data using Rclone to a Wasabi cloud storage bucket prior to the ransomware deployment. Also utilized in the attack were a number of dual-use tools like Netscan, Netexec, and MeshAgent, as well as a custom version of the Rustdesk remote desktop software.
POORTRY is a little different from traditional BYOVD attacks in that it uses a bespoke driver expr
Source: The Hacker News
