Osiris ransomware emerges, leveraging BYOVD technique to kill security tools

Key Points:

• A new ransomware strain named Osiris has emerged, utilizing the BYOVD technique via the POORTRY driver to disable security tools during a November 2025 attack against a Southeast Asian food service franchise.
• The ransomware exhibits capabilities to encrypt files, delete VSS snapshots, and terminate critical processes, posing significant risks to affected systems and potentially leading to data loss and operational disruption.
• Immediate actions include monitoring for the presence of the POORTRY driver, implementing strict access controls, and ensuring regular backups are maintained to mitigate the impact of potential ransomware attacks.

Technical Details: Osiris employs hybrid ECC and AES-128-CTR encryption with unique keys per file. It also utilizes dual-use tools for network discovery and access, including a modified Rustdesk tool disguised as “WinZip Remote Desktop.”

MITRE ATT&CK Techniques:

• T1070.001 - Indicator Removal on Host: File Deletion (Defense Evasion)
• T1059.001 - Command and Scripting Interpreter: PowerShell (Execution)
• T1021.001 - Remote Services: Remote Desktop Protocol (Lateral Movement)
• T1490 - Inhibit System Recovery (Impact)

IOCs Mentioned: None mentioned