Osiris Ransomware Dissection

Osiris Ransomware Dissection

1

Executive Summary

A newly identified ransomware strain called Osiris surfaced in late-2025 attacks, demonstrating a mature and operator-driven intrusion chain that includes data exfiltration, endpoint defense neutralization using vulnerable driver techniques (BYOVD), credential dumping, and targeted encryption.

Importantly, this Osiris threat is not related to the 2016–2017-era Osiris name used for a Locky ransomware variant. Researchers explicitly highlight that this is a new ransomware family, with experienced operators and tradecraft consistent with modern human-operated ransomware campaigns.

1) What Makes Osiris Different: “New Ransomware, Experienced Attackers”

The Symantec and Carbon Black Threat Hunter Team analysis characterizes Osiris as newly emerged, but not “immature.” The campaign exhibits:

  • Pre-encryption data theft
  • wide usage of dual-use tooling
  • RDP enablement and lateral movement
  • deliberate EDR/security kill chain
  • hybrid encryption design and operational safeguards

These are all indicators of an actor that already understands enterprise networks and ransomware economics.

Additionally, the report notes overlap in tactics with earlier INC ransomware activity, which raises the probability that Osiris is being operated by seasoned affiliates rather than “newcomers.”

2) Attack Chain Breakdown

Phase 1 — Data Exfiltration First (Wasabi via Rclone)

Before encryption is deployed, Osiris operators prioritize data theft, using Rclone to exfiltrate content to Wasabi cloud storage. This is operationally important because it confirms the intrusion is designed for double extortion (encrypt + leak pressure).

Defender’s takeaway:
If you detect suspicious Rclone activity, you may be in the critical early window before destructive impact begins.

Phase 2 — Recon + Post-Exploitation Tooling

Following exfiltration, the operators deploy internal reconnaissance and movement tooling, including:

  • Netscan
  • NetExec
  • MeshAgent
  • customized RustDesk, disguised as “WinZip Remote Desktop”

This set strongly signals hands-on intruder activity rather than automated malware behavior.

Phase 3 — RDP Enablement + Remote Access Abuse

The campaign enables and uses RDP access as part of the operational pathway—both for movement and for staging ransomware execution.

This matches a pattern defenders repeatedly see: attackers prefer stable interactive access before launching high-risk encryption actions.

Phase 4 — Defense Evasion (KillAV + BYOVD using POORTRY)

One of the most notable technical differentiators in this campaign is the use of KillAV, paired with the POORTRY driver, to disable endpoint security controls.

This is described as a Bring Your Own Vulnerable Driver (BYOVD)-style attack chain used specifically to terminate / neutralize security tooling prior to encryption.

Why it matters:
Once kernel driver abuse enters the chain, defenders can lose visibility at the exact moment they need it most.

Phase 5 — Credential Theft (kaz.exe / Mimikatz variant)

The operators also drop a Mimikatz variant named:

  • kaz.exe

This aligns with hands-on ransomware playbooks: gain credentials → expand access → maximize encryption scope.

Phase 6 — Encryption Deployment & Command-Line Controlled Execution

Encryption is not “spray-and-pray.” It’s executed with operator-selectable options, including:

  • specifying target paths
  • selecting full vs “head” encryption modes
  • disabling Hyper-V

This indicates the ransomware was engineered and/or configured to optimize both:

  • speed (head mode)
  • impact (full mode on high-value systems)

3) Encryption & Evasion: Technical Characteristics

Hybrid crypto: ECC + AES-128-CTR

Osiris uses:

  • ECC + AES-128-CTR hybrid encryption
  • unique per-file keys
  • appends encrypted files with .Osiris extension

This matters in DFIR because it indicates:

  • cryptographic modernity
  • low probability of community decryptors unless a crypto implementation flaw exists

File/Folder targeting logic (defensive resilience)

Osiris explicitly skips critical system folders such as:

  • Windows
  • Recycle.Bin

This is often done to preserve OS stability and ensure the victim can still:

  • read ransom instructions
  • access comms channels
  • authorize payment faster

Recovery denial: VSS deletion + service/backup disruption

Osiris implements multiple actions to reduce recovery options:

  • deletes Volume Shadow Copies
  • halts services associated with enterprise systems, including:
    • SQL
    • Exchange
    • Veeam
    • backup-related services

This is deliberate business disruption engineering.

4) Key Indicators of Compromise (IoCs)

File hashes (SHA-256)

Reported artifacts include:

  • KillAV – 33.exe / payload.exe
    • fff586c95b510e6c8c0e032524026ef22297869a86d14075cd601ca8e20d4a16
  • KillAV – payload.dll
    • c74509fcae41fc9f63667dce960d40907f81fae09957bb558d4c3e6a786dde7d

File and tooling indicators

  • Osiris-MESSAGE.txt ransom note
  • kaz.exe (Mimikatz variant)
  • custom RustDesk binary masquerading as “WinZip Remote Desktop”
  • POORTRY.sys driver

Network indicators

  • outbound Rclone activity to Wasabi
  • leak site (TOR):
    • osirisbm3357xrccnid23nlyuqwzbgqheaei6dxvyi34tbkqr3bmvfid.onion

5) Real-World Impact: November 2025 Southeast Asia Case

According to the published research coverage, Osiris was linked to an attack in November 2025 targeting a major Southeast Asian food service franchise operator, with supporting reporting noting attacker infrastructure/links across multiple regions and RDP-related exploitation patterns.

Victims are pressured through leak-site countdown mechanics—reinforcing the assumption that the intrusion is structured for double extortion outcomes, not just encryption.

6) What Defenders Should Do Now (Actionable Mitigations)

A. Hunt immediately for pre-encryption signals

  1. Rclone execution
  2. unusual connections to Wasabi/S3-like endpoints
  3. spikes in outbound data volume

B. Detect remote access staging

  • RustDesk-like tooling with suspicious naming
  • MeshAgent installation
  • RDP enablement events

C. Prepare specifically for BYOVD-style EDR killing

  • alert on new driver loads (esp. unsigned/unusual)
  • block known vulnerable driver abuse patterns
  • monitor tamper events and service termination bursts

D. Protect Hyper-V / virtualization control plane

Because Osiris includes Hyper-V disabling behavior, defenders should:

  • harden Hyper-V management endpoints
  • isolate virtualization admin identities
  • monitor virtualization-related service stops and config changes

Conclusion

Osiris (late 2025–2026) is a strong example of the next wave of ransomware execution: data theft first, EDR disruption using BYOVD chains, credential access, then carefully controlled encryption.

The research makes one message clear:

Osiris may be new in name, but not new in capability.

Any organization seeing Wasabi-bound Rclone exfiltration, POORTRY/KillAV artifacts, RustDesk masquerading, or a sudden shift in RDP posture should treat it as a high-confidence ransomware staging event — and respond accordingly.

Tags:

1 Comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.