Cybersecurity researchers have disclosed particulars of a brand new ransomware household known as Osiris that focused a serious meals service franchisee operator in Southeast Asia in November 2025.
The assault leveraged a malicious driver known as POORTRY as a part of a recognized method known as convey your personal weak driver (BYOVD) to disarm safety software program, the Symantec and Carbon Black Menace Hunter Crew mentioned.
It is price noting that Osiris is assessed to be a brand-new ransomware pressure, sharing no similarities with one other variant of the identical title that emerged in December 2016 as an iteration of the Locky ransomware. It is at present not recognized who the builders of the locker are, or if it is marketed as a ransomware-as-a-service (RaaS).
Nonetheless, the Broadcom-owned cybersecurity division mentioned it recognized clues that counsel the risk actors who deployed the ransomware might have been beforehand related to INC ransomware (aka Warble).
“A variety of dwelling off the land and dual-use instruments had been used on this assault, as was a malicious POORTRY driver, which was probably used as a part of a convey your personal weak driver (BYOVD) assault to disable safety software program,” the corporate mentioned in a report shared with The Hacker Information.
“The exfiltration of information by the attackers to Wasabi buckets, and the usage of a model of Mimikatz that was beforehand used, with the identical filename (kaz.exe), by attackers deploying the INC ransomware, level to potential hyperlinks between this assault and a few assaults involving INC.”
Described as an “efficient encryption payload” that is probably wielded by skilled attackers, Osiris makes use of a hybrid encryption scheme and a novel encryption key for every file. It is also versatile in that it might probably cease companies, specify which folders and extensions must be encrypted, terminate processes, and drop a ransom be aware.
By default, it is designed to kill a protracted listing of processes and companies associated to Microsoft Workplace, Alternate, Mozilla Firefox, WordPad, Notepad, Quantity Shadow Copy, and Veeam, amongst others.
First indicators of malicious exercise on the goal’s community concerned the exfiltration of delicate knowledge utilizing Rclone to a Wasabi cloud storage bucket previous to the ransomware deployment. Additionally utilized within the assault had been quite a few dual-use instruments like Netscan, Netexec, and MeshAgent, in addition to a customized model of the Rustdesk distant desktop software program.
POORTRY is a bit of completely different from conventional BYOVD assaults in that it makes use of a bespoke driver expressly designed for elevating privileges and terminating safety instruments, versus deploying a legitimate-but-vulnerable driver to the goal community.
“KillAV, which is a software used to deploy weak drivers for terminating safety processes, was additionally deployed on the goal’s community,” the Symantec and Carbon Black Menace Hunter Crew famous. “RDP was additionally enabled on the community, probably to offer the attackers with distant entry.”
The event comes as ransomware stays a major enterprise risk, with the panorama consistently shifting as some teams shut their doorways and others shortly rise from their ashes or transfer in to take their place. In accordance with an evaluation of information leak websites by Symantec and Carbon Black, ransomware actors claimed a complete of 4,737 assaults throughout 2025, up from 4,701 in 2024, a 0.8% enhance.
Essentially the most lively gamers through the previous yr had been Akira (aka Darter or Howling Scorpius), Qilin (aka Stinkbug or Water Galura), Play (aka Balloonfly), INC, SafePay, RansomHub (aka Greenbottle), DragonForce (aka Hackledorb), Sinobi, Rhysida, and CACTUS. A number of the different notable developments within the area are listed under –
Menace actors utilizing the Akira ransomware have leveraged a weak Throttlestop driver, together with the Home windows CardSpace Consumer Interface Agent and Microsoft Media Basis Protected Pipeline, to sideload the Bumblebee loader in assaults noticed in mid-to-late 2025.
Akira ransomware campaigns have additionally exploited SonicWall SSL VPNs to breach small- to medium-sized enterprise environments throughout mergers and acquisitions and finally get hold of entry to the larger, buying enterprises. One other Akira assault has been discovered to leverage ClickFix-style CAPTCHA verification lures to drop a .NET distant entry trojan known as SectopRAT, which serves as a conduit for distant management and ransomware supply.
LockBit (aka Syrphid), which partnered with DragonForce and Qilin in October 2025, has continued to take care of its infrastructure regardless of a regulation enforcement operation to close down its operations in early 2024. It has additionally launched variants of LockBit 5.0 concentrating on a number of working methods and virtualization platforms. A big replace to LockBit 5.0 is the introduction of a two-stage ransomware deployment mannequin that separates the loader from the principle payload, whereas concurrently maximizing evasion, modularity, and damaging affect.
A brand new RaaS operation dubbed Sicarii has claimed just one sufferer because it first surfaced in late 2025. Whereas the group explicitly identifies itself as Israeli/Jewish, evaluation has uncovered that underground on-line exercise is primarily carried out in Russian and that the Hebrew content material shared by the risk actor incorporates grammatical and semantic errors. This has raised the opportunity of a false flag operation. Sicarii’s major Sicarii operator makes use of the Telegram account “@Skibcum.”
The risk actor often known as Storm-2603 (aka CL-CRI-1040 or Gold Salem) has been noticed leveraging the reliable Velociraptor digital forensics and incident response (DFIR) software as a part of precursor exercise resulting in the deployment of Warlock, LockBit, and Babuk ransomware. The assaults have additionally utilized two drivers (“rsndispot.sys” and “kl.sys”) together with “vmtools.exe” to disable safety options utilizing a BYOVD assault.
Entities in India, Brazil, and Germany have been focused by Makop ransomware assaults that exploit uncovered and insecure RDP methods to stage instruments for community scanning, privilege escalation, disabling safety software program, credential dumping, and ransomware deployment. The assaults, moreover utilizing “hlpdrv.sys” and “ThrottleStop.sys” drivers for BYOVD assaults, additionally deploy GuLoader to ship the ransomware payload. That is the primary documented case of Makop being distributed through a loader.
Ransomware assaults have additionally obtained preliminary entry utilizing already-compromised RDP credentials to carry out reconnaissance, privilege escalation, lateral motion through RDP, adopted by exfiltrating knowledge to temp[.]sh on day six of the intrusion and deploying Lynx ransomware three days later.
A safety flaw within the encryption course of related to the Obscura ransomware has been discovered to render giant information unrecoverable. “When it encrypts giant information, it fails to write down the encrypted non permanent key to the file’s footer,” Coveware mentioned. “For information over 1GB, that footer is rarely created in any respect — which implies the important thing wanted for decryption is misplaced. These information are completely unrecoverable.”
A brand new ransomware household named 01flip has focused a restricted set of victims within the Asia-Pacific area. Written in Rust, the ransomware can goal each Home windows and Linux methods. Assault chains contain the exploitation of recognized safety vulnerabilities (e.g., CVE-2019-11580) to acquire a foothold into goal networks. It has been attributed to a financially motivated risk actor often known as CL-CRI-1036.
To guard towards focused assaults, organizations are suggested to watch the usage of dual-use instruments, limit entry to RDP companies, implement multi-factor authentication (2FA), use utility allowlisting the place relevant, and implement off-site storage of backup copies.
“Whereas assaults involving encrypting ransomware stay as prevalent as ever and nonetheless pose a risk, the arrival of recent varieties of encryptionless assaults provides one other diploma of threat, making a wider extortion ecosystem of which ransomware might grow to be only one element,” Symantec and Carbon Black mentioned.
