""A wide range of living off the land and dual-use tools were used in this attack, as was a malicious POORTRY driver, which was likely used as part of a bring your own vulnerable driver (BYOVD) attack to disable security software," the company said in a report shared with The Hacker News. "The exfiltration of data by the attackers to Wasabi buckets, and the use of a version of Mimikatz that was previously used, with the same filename (kaz.exe), by attackers deploying the INC ransomware, point to potential links between this attack and some attacks involving INC.""
"Described as an "effective encryption payload" that's likely wielded by experienced attackers, Osiris makes use of a hybrid encryption scheme and a unique encryption key for each file. It's also flexible in that it can stop services, specify which folders and extensions need to be encrypted, terminate processes, and drop a ransom note. By default, it's designed to kill a long list of processes and services related to Microsoft Office, Exchange, Mozilla"
Osiris targeted a major food service franchisee operator in Southeast Asia in November 2025, using a malicious POORTRY driver as part of a bring your own vulnerable driver (BYOVD) technique to disable security software. Osiris is a brand-new ransomware strain distinct from a 2016 variant with the same name, and its developers or RaaS status remain unknown. Indicators such as data exfiltration to Wasabi buckets and reuse of a Mimikatz binary named kaz.exe suggest links to operators associated with INC (Warble) ransomware. Osiris uses a hybrid encryption scheme with a unique key per file, can stop services, terminate processes, specify folders and extensions to encrypt, and drops ransom notes.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]