A recently identified ransomware strain named Osiris was linked to an intrusion at a large food services organization in Southeast Asia in November 2025. Analysts confirmed that this malware is a new development and is not related to the ransomware that used the same name nearly a decade ago.
The appearance of Osiris highlights how ransomware operations continue to evolve. The attack shows careful planning and execution, reflecting the methods typically used by well-established cybercrime groups rather than opportunistic attackers.
Instead of relying only on obvious malware, the attackers combined trusted Windows features with specialized tools to move through the network. This blend allowed them to maintain access, gather credentials, and prepare systems for encryption while staying largely unnoticed.
Investigators traced the activity after noticing similarities with earlier Inc ransomware operations. These included shared tooling patterns and familiar data theft techniques.
Sensitive information was taken before encryption using cloud-based transfer utilities, confirming a double-extortion strategy.
Driver-Level Attacks and Security Disabling
A key element of the intrusion was the use of a rogue driver known as Poortry, also referred to as Abyssworker. Disguised as legitimate security software, the driver was introduced to undermine system protections.
Through a bring-your-own-vulnerable-driver (BYOVD) method, the attackers gained deep system access and shut down security tools without drawing immediate attention. This technique has become increasingly common because it allows ransomware operators to bypass endpoint defenses effectively.
What sets this case apart is that the driver appears to be custom-built rather than reused from public sources, suggesting strong technical skills within the group. Additional utilities were deployed to scan the environment and keep remote control of compromised systems.
Once their position was secured, the attackers launched the ransomware, encrypting files with strong cryptography and blocking recovery by stopping critical services and removing backup snapshots. The overall operation points to a highly capable and experienced ransomware group behind Osiris.
Leave A Comment