Cybersecurity researchers have disclosed particulars of a brand new ransomware household known as Osiris that focused a serious meals service franchisee operator in Southeast Asia in November 2025.
The assault leveraged a malicious driver known as POORTRY as a part of a identified method known as carry your personal susceptible driver (BYOVD) to disarm safety software program, the Symantec and Carbon Black Menace Hunter Crew stated.
It is price noting that Osiris is assessed to be a brand-new ransomware pressure, sharing no similarities with one other variant of the identical title that emerged in December 2016 as an iteration of the Locky ransomware. It is at present not identified who the builders of the locker are, or if it is marketed as a ransomware-as-a-service (RaaS).
Nonetheless, the Broadcom-owned cybersecurity division stated it recognized clues that recommend the menace actors who deployed the ransomware could have been beforehand related to INC ransomware (aka Warble).
“A variety of dwelling off the land and dual-use instruments have been used on this assault, as was a malicious POORTRY driver, which was probably used as a part of a carry your personal susceptible driver (BYOVD) assault to disable safety software program,” the corporate stated in a report shared with The Hacker Information.
“The exfiltration of knowledge by the attackers to Wasabi buckets, and using a model of Mimikatz that was beforehand used, with the identical filename (kaz.exe), by attackers deploying the INC ransomware, level to potential hyperlinks between this assault and a few assaults involving INC.”
Described as an “efficient encryption payload” that is probably wielded by skilled attackers, Osiris makes use of a hybrid encryption scheme and a singular encryption key for every file. It is also versatile in that it could cease providers, specify which folders and extensions must be encrypted, terminate processes, and drop a ransom notice.
By default, it is designed to kill an extended record of processes and providers associated to Microsoft Workplace, Alternate, Mozilla Firefox, WordPad, Notepad, Quantity Shadow Copy, and Veeam, amongst others.
First indicators of malicious exercise on the goal’s community concerned the exfiltration of delicate knowledge utilizing Rclone to a Wasabi cloud storage bucket previous to the ransomware deployment. Additionally utilized within the assault have been various dual-use instruments like Netscan, Netexec, and MeshAgent, in addition to a customized model of the Rustdesk distant desktop software program.
POORTRY is a little bit totally different from conventional BYOVD assaults in that it makes use of a bespoke driver expressly designed for elevating privileges and terminating safety instruments, versus deploying a legitimate-but-vulnerable driver to the goal community.
“KillAV, which is a software used to deploy susceptible drivers for terminating safety processes, was additionally deployed on the goal’s community,” the Symantec and Carbon Black Menace Hunter Crew famous. “RDP was additionally enabled on the community, probably to offer the attackers with distant entry.”
The event comes as ransomware stays a big enterprise menace, with the panorama continuously shifting as some teams shut their doorways and others shortly rise from their ashes or transfer in to take their place. In response to an evaluation of knowledge leak websites by Symantec and Carbon Black, ransomware actors claimed a complete of 4,737 assaults throughout 2025, up from 4,701 in 2024, a 0.8% improve.
The most energetic gamers in the course of the previous yr have been Akira (aka Darter or Howling Scorpius), Qilin (aka Stinkbug or Water Galura), Play (aka Balloonfly), INC, SafePay, RansomHub (aka Greenbottle), DragonForce (aka Hackledorb), Sinobi, Rhysida, and CACTUS. A number of the different notable developments within the house are listed under –
- Menace actors utilizing the Akira ransomware have leveraged a susceptible Throttlestop driver, together with the Home windows CardSpace Person Interface Agent and Microsoft Media Basis Protected Pipeline, to sideload the Bumblebee loader in assaults noticed in mid-to-late 2025.
- Akira ransomware campaigns have additionally exploited SonicWall SSL VPNs to breach small- to medium-sized enterprise environments throughout mergers and acquisitions and finally receive entry to the larger, buying enterprises. One other Akira assault has been discovered to leverage ClickFix-style CAPTCHA verification lures to drop a .NET distant entry trojan known as SectopRAT, which serves as a conduit for distant management and ransomware supply.
- LockBit (aka Syrphid), which partnered with DragonForce and Qilin in October 2025, has continued to keep its infrastructure regardless of a legislation enforcement operation to close down its operations in early 2024. It has additionally launched variants of LockBit 5.0 concentrating on a number of working programs and virtualization platforms. A big replace to LockBit 5.0 is the introduction of a two-stage ransomware deployment mannequin that separates the loader from the principle payload, whereas concurrently maximizing evasion, modularity, and harmful impression.
- A brand new RaaS operation dubbed Sicarii has claimed just one sufferer because it first surfaced in late 2025. Whereas the group explicitly identifies itself as Israeli/Jewish, evaluation has uncovered that underground on-line exercise is primarily carried out in Russian and that the Hebrew content material shared by the menace actor incorporates grammatical and semantic errors. This has raised the potential for a false flag operation. Sicarii’s main Sicarii operator makes use of the Telegram account “@Skibcum.”
- The menace actor referred to as Storm-2603 (aka CL-CRI-1040 or Gold Salem) has been noticed leveraging the reputable Velociraptor digital forensics and incident response (DFIR) software as a part of precursor exercise resulting in the deployment of Warlock, LockBit, and Babuk ransomware. The assaults have additionally utilized two drivers (“rsndispot.sys” and “kl.sys”) together with “vmtools.exe” to disable safety options utilizing a BYOVD assault.
- Entities in India, Brazil, and Germany have been focused by Makop ransomware assaults that exploit uncovered and insecure RDP programs to stage instruments for community scanning, privilege escalation, disabling safety software program, credential dumping, and ransomware deployment. The assaults, apart from utilizing “hlpdrv.sys” and “ThrottleStop.sys” drivers for BYOVD assaults, additionally deploy GuLoader to ship the ransomware payload. That is the primary documented case of Makop being distributed through a loader.
- Ransomware assaults have additionally obtained preliminary entry utilizing already-compromised RDP credentials to carry out reconnaissance, privilege escalation, lateral motion through RDP, adopted by exfiltrating knowledge to temp[.]sh on day six of the intrusion and deploying Lynx ransomware three days later.
- A safety flaw within the encryption course of related to the Obscura ransomware has been discovered to render massive information unrecoverable. “When it encrypts massive information, it fails to jot down the encrypted short-term key to the file’s footer,” Coveware stated. “For information over 1GB, that footer isn’t created in any respect — which suggests the important thing wanted for decryption is misplaced. These information are completely unrecoverable.”
- A brand new ransomware household named 01flip has focused a restricted set of victims within the Asia-Pacific area. Written in Rust, the ransomware can goal each Home windows and Linux programs. Assault chains contain the exploitation of identified safety vulnerabilities (e.g., CVE-2019-11580) to acquire a foothold into goal networks. It has been attributed to a financially motivated menace actor referred to as CL-CRI-1036.
To guard in opposition to focused assaults, organizations are suggested to observe using dual-use instruments, prohibit entry to RDP providers, implement multi-factor authentication (2FA), use software allowlisting the place relevant, and implement off-site storage of backup copies.
“Whereas assaults involving encrypting ransomware stay as prevalent as ever and nonetheless pose a menace, the appearance of latest kinds of encryptionless assaults provides one other diploma of threat, making a wider extortion ecosystem of which ransomware could turn out to be only one element,” Symantec and Carbon Black stated.
