Threat Research

Osiris: New Ransomware, Experienced Attackers?

Symantec
Osiris: New Ransomware, Experienced Attackers?

A new, distinct ransomware family called Osiris was used in a November 2025 attack against a major food service franchisee in Southeast Asia, employing hybrid ECC+AES-128-CTR encryption, VSS deletion, and a variety of living-off-the-land and dual-use tools. The intrusion included data exfiltration to Wasabi buckets, use of a Mimikatz build named kaz.exe, and deployment of a malicious signed driver (Poortry/Abyssworker) consistent with a BYOVD defense‑impairment tactic. #Osiris #Poortry

Keypoints

  • Osiris is a newly identified ransomware family (not linked to the 2016 “Osiris/Locky” variant) observed encrypting files and appending the .Osiris extension while deleting VSS snapshots and dropping an Osiris-MESSAGE.txt ransom note.
  • Attackers exfiltrated data to Wasabi cloud storage using Rclone prior to encryption, mirroring a tactic previously observed with Inc ransomware activity.
  • Evidence suggests potential links or overlap with Inc ransomware activity: reuse of a Mimikatz build named kaz.exe and exfiltration patterns to Wasabi.
  • Defense‑impairment via a signed malicious driver (Poortry/Abyssworker) was used in a BYOVD-style attack to disable security products; KillAV and other tools were also deployed to terminate protective processes.
  • Operators used a mix of dual‑use and living‑off‑the‑land tools (Netscan, Netexec, MeshAgent, custom Rustdesk) and enabled RDP to facilitate access, discovery, lateral movement, and remote control.
  • Osiris supports command-line options to control logging, target files/folders, VM handling (hyperv/hyperv-skip), and encryption mode (head/full), and it skips many common system/media extensions and folders.
  • Osiris employs hybrid encryption (ECC + AES-128-CTR) with a unique AES key per file and uses completionIOPort for asynchronous I/O during encryption.

MITRE Techniques

  • [T1003 ] Credential Dumping – Mimikatz (kaz.exe) was used to harvest credentials: (‘a version of Mimikatz that was previously used, with the same filename (kaz.exe), by attackers deploying the Inc ransomware’)
  • [T1567 ] Exfiltration Over Web Service – Data was exfiltrated to a Wasabi bucket using Rclone: (‘Rclone was used to exfiltrate data. This data was exfiltrated to a Wasabi bucket.’)
  • [T1562 ] Impair Defenses – Attackers deployed a signed vulnerable driver (Poortry/Abyssworker) and KillAV to disable security software in a BYOVD-style attack: (‘BYOVD is by far the most frequently used technique for defense impairment by ransomware attackers now. … deploy a signed vulnerable driver to the target network’)
  • [T1490 ] Inhibit System Recovery – Osiris deletes snapshots using VSS to prevent recovery: (‘After completing encryption, Osiris appends the .Osiris extension to affected files … and deletes snapshots using VSS.’)
  • [T1105 ] Ingress Tool Transfer – Multiple tools and payloads (MeshAgent, Netexec, Netscan, Rclone, Rustdesk custom build) were deployed to victim systems: (‘They also deployed other dual-use tools like Netscan, Netexec, and MeshAgent. They also used a custom version of the Rustdesk remote monitoring and management (RMM) tool’)
  • [T1046 ] Network Service Discovery – Netscan was used to discover services and hosts on the network: (‘They also deployed other dual-use tools like Netscan…’)
  • [T1021 ] Remote Services – RDP was enabled and remote management tools (Rustdesk, MeshAgent) were used to provide remote access: (‘RDP was also enabled on the network, likely to provide the attackers with remote access.’ / ‘custom version of the Rustdesk … to hide its true use.’)
  • [T1486 ] Data Encrypted for Impact – Osiris performed file encryption across selected directories and extensions and dropped a ransom note demanding negotiation: (‘Osiris appends the .Osiris extension to affected files … The ransomware also drops a ransom note titled Osiris-MESSAGE.txt, which details the data they claim to have stolen’)

Indicators of Compromise

  • [File hash ] Example hashes for deployed tools/payloads – fff586c95b510e6c8c0e032524026ef22297869a86d14075cd601ca8e20d4a16 (KillAV – 33.exe), fc39cca5d71b1a9ed3c71cca6f1b86cfe03466624ad78cdb57580dba90847851 (Mimikatz – kaz.exe), and 15 more hashes.
  • [File name ] Malware and tool filenames observed – kaz.exe (Mimikatz), Osiris-MESSAGE.txt (ransom note), meshagent64-philip.exe (MeshAgent), and other tool filenames.
  • [Driver filename ] Signed/vulnerable driver used for BYOVD-style defense impairment – multia.sys (Driver – multia.sys).
  • [Domain ] Network indicators observed – ausare[.]net, wesir[.]net.

Read more: https://www.security.com/threat-intelligence/new-ransomware-osiris