In November 2025, a food service operator in Southeast Asia was targeted by a brand-new ransomware family named Osiris, which utilized a specialized malicious driver to disable security software. Researchers have linked the campaign to the threat actors behind INC ransomware based on shared tools and data exfiltration methods.

Cybersecurity researchers recently identified a fresh ransomware threat named Osiris following an attack on a major food service franchise in Southeast Asia late in 2025. This strain is distinct from a 2016 variant of the same name and appears to be the work of a sophisticated and experienced group. While its origins remain under investigation, the technical execution suggests a high level of proficiency in bypassing modern enterprise defenses.

The attackers employed a technique known as bring your own vulnerable driver to neutralize security protocols, specifically using a malicious driver called POORTRY. Unlike typical versions of this attack that use legitimate but flawed drivers, this instance featured a bespoke driver designed specifically to escalate privileges and terminate antivirus processes. This allowed the intruders to move through the network undetected before the final encryption phase began.

Evidence gathered from the breach suggests a possible connection to the established INC ransomware group. Investigators noted that the attackers used a specific version of the Mimikatz tool previously seen in INC operations and exfiltrated data to Wasabi cloud storage buckets using similar methods. The use of dual-use tools like Rclone, Netscan, and a custom version of Rustdesk further points to a structured methodology often associated with seasoned cybercriminal outfits.

Technically, Osiris functions as a flexible and potent encryption payload that utilizes a hybrid scheme to secure individual files with unique keys. Before locking the system, the ransomware is programmed to terminate an extensive list of processes, including Microsoft Office, Exchange, and various backup services like Veeam. This ensures that the victim cannot easily recover data or access essential communication tools during the crisis.

The emergence of Osiris reflects a broader trend in the cybersecurity landscape, where total ransomware attacks saw a slight increase throughout 2025. Despite the shifting identities of various criminal organizations, the threat to enterprises remains constant as new groups fill the voids left by those that disband. The evolution of tools like POORTRY highlights the ongoing arms race between security researchers and developers of malicious software.

Source: New Osiris Ransomware Emerges Using POORTRY Driver In BYOVD Attacks