The Emergence of the Osiris Ransomware

Osiris is a newly identified ransomware variant that surfaced in late 2025 following a targeted attack against a large food service operator in Southeast Asia. Unlike the older malware that shared the same name in 2016, this Osiris ransomware is a completely new strain, built and deployed by experienced threat actors. The malware combines advanced encryption with stealth-focused techniques, encrypting victims’ data and appending a distinct ransomware file extension while remaining largely undetected during its early stages. Its emergence reflects a broader shift toward highly controlled, low-noise ransomware operations designed to maximize impact before defenders can respond.

Information on “Osiris Ransomware”

Attack Chain and Technical Characteristics

Osiris ransomware operations rely heavily on living-off-the-land techniques and dual-use tools to evade detection. Attackers have been observed abusing legitimate Windows utilities alongside custom components such as the malicious POORTRY driver, deployed via a bring-your-own-vulnerable-driver (BYOVD) attack to disable endpoint security. Prior to encryption, Osiris operators typically conduct reconnaissance, harvest credentials, and exfiltrate sensitive data to cloud storage services, increasing pressure on victims through potential double extortion.

Additional Information

• Osiris uses hybrid encryption with unique keys per file, making large-scale decryption difficult without expert assistance.
• The ransomware terminates backup, database, and productivity services to prevent recovery.
• Data exfiltration is commonly performed before encryption using tools like Rclone.
• Malicious drivers such as POORTRY are used to disable security software at the kernel level.
• Initial access vectors include phishing emails, exposed RDP services, and compromised credentials.

Conclusion

Osiris ransomware represents a sophisticated and evolving threat that blends stealth, persistence, and strong encryption to maximize damage. Its use of BYOVD attacks and legitimate system tools highlights how modern ransomware campaigns are increasingly difficult to detect and stop once inside a network.

As specialists in ransomware recovery and cybersecurity, we support organizations affected by threats like Osiris through professional Ransomware Recovery Services, expert-led Ransomware Negotiation Services, and proactive protection with our Incident Response Retainer. Contact us to recover encrypted data, contain active incidents, and strengthen your defenses against future ransomware attacks.

Last updated on: January 26, 2026