Full Report
Cybersecurity researchers have disclosed details of a new ransomware family called Osiris that targeted a major food service franchisee operator in Southeast Asia in November 2025. The attack leveraged a malicious driver called POORTRY as part of a known technique referred to as bring your own vulnerable driver (BYOVD) to disarm security software, the Symantec and Carbon Black Threat Hunter
Analysis Summary
# Tool/Technique: Osiris Ransomware and POORTRY Driver
## Overview
This summary covers the **Osiris** ransomware family, a new strain observed targeting a food service franchisee in Southeast Asia in November 2025, and the **POORTRY** malicious driver used in conjunction with the Bring Your Own Vulnerable Driver (BYOVD) technique to disable security software.
## Technical Details
- Type: Malware family (Osiris) and Malicious Driver (POORTRY)
- Platform: Windows (Implied by service termination, driver usage, and tools like Mimikatz)
- Capabilities:
* **Osiris:** Hybrid file encryption (unique key per file), service termination (including security, Office, backup software), process termination, custom ransom note dropping.
* **POORTRY:** Custom driver intended specifically for privilege escalation and terminating security tools.
- First Seen: November 2025 (Osiris deployment)
## MITRE ATT&CK Mapping
The observed activities map to several tactics and techniques:
- **TA0005 - Defense Evasion**
- **T1218 - Signed Binary Proxy Execution**
- **T1218.011 - Bring Your Own Vulnerable Driver (BYOVD)** (Leveraged via POORTRY)
- **TA0003 - Persistence** (Implied by ongoing driver use for evasion)
- **TA0004 - Privilege Escalation**
- **T1218 - Signed Binary Proxy Execution** (Drivers are often loaded with high privileges)
- **TA0011 - Command and Control**
- **T1071 - Application Layer Protocol** (Used for data exfiltration via Rclone to Wasabi buckets)
- **TA0040 - Impact**
- **T1486 - Data Encrypted for Impact** (Ransomware activity)
## Functionality
### Core Capabilities (Osiris Ransomware)
- **Encryption:** Utilizes a hybrid encryption scheme, generating a unique encryption key for every encrypted file.
- **Service Disruption:** Kills numerous critical services and processes, specifically targeting Microsoft Office, Exchange, Mozilla Firefox, Notepad, Volume Shadow Copy, and backup solutions like Veeam.
- **Target Specification:** Can selectively choose which folders and file extensions to encrypt.
- **Extortion:** Drops a ransom note upon completion.
### Advanced Features (Attack Chain)
- **Security Tool Disablement:** The core mechanism involves using the **POORTRY** driver to elevate privileges and terminate security tools directly, differing from standard BYOVD usage of legitimate vulnerable drivers.
- **Tool Deployment:** Deployed alongside **KillAV**, a tool used to deploy vulnerable drivers for terminating security processes.
- **Lateral Movement/Access:** RDP was enabled on the network, facilitating remote access.
- **Data Exfiltration:** Used **Rclone** to steal sensitive data and exfiltrate it to **Wasabi** cloud storage buckets *prior* to encryption deployment.
- **Living off the Land (LoL) Usage:** Employed dual-use tools like **Netscan**, **Netexec**, and **MeshAgent**, alongside a custom version of **Rustdesk** for remote administration.
## Indicators of Compromise
*Note: File hashes and specific network indicators are not provided in the context.*
- File Hashes: [Not specified in context]
- File Names: `kaz.exe` (A version of Mimikatz previously used by the INC ransomware group).
- Registry Keys: [Not specified in context]
- Network Indicators: Data exfiltration occurred to **Wasabi** cloud storage buckets. (Defanged examples: wasabi[.]com storage)
- Behavioral Indicators:
1. Attempted privilege escalation and security tool termination using a bespoke driver (POORTRY).
2. Use of Rclone for initial data staging/exfiltration.
3. Execution of system and security tools configured to mimic those used by the INC ransomware group (e.g., Mimikatz with filename `kaz.exe`).
4. Deployment execution of the tool `KillAV`.
## Associated Threat Actors
- The threat actors deployed Osiris are **not definitively known**.
- However, clues (use of Mimikatz with filename `kaz.exe`, data exfiltration methods) suggest potential links to threat actors previously associated with **INC ransomware (aka Warble)**.
## Detection Methods
- Signature-based detection (For known binaries like Mimikatz variants or Rclone once observed).
- Behavioral detection focusing on anomalous driver loading or execution targeting security process termination (T1218.011).
- Monitoring for the use of the tool **KillAV** or the loading of the **POORTRY** driver.
- Monitoring for unauthorized network connections to cloud storage providers (Wasabi) originating from sensitive network segments initiating data upload activity via Rclone.
## Mitigation Strategies
- **Driver Signing Enforcement:** Strict implementation and enforcement of Driver Signature Enforcement (DSE) to prevent the loading of unsigned or malicious drivers like POORTRY.
- **Vulnerability Management:** Regularly audit and patch systems to prevent the initial compromise, as BYOVD often requires initial access.
- **Endpoint Detection and Response (EDR):** Configure EDR solutions (like Symantec/Carbon Black) to aggressively monitor for driver loading attempts that lack proper vendor certification or attempt to terminate security services.
- **Access Restriction:** Restrict or monitor/disable RDP access unless strictly required, and monitor for RDP enablement activity.
- **Security Tool Resilience:** Ensure security tooling is configured to resist termination attempts, potentially employing tamper-proofing features or kernel-level protection.
## Related Tools/Techniques
- **Bring Your Own Vulnerable Driver (BYOVD):** The core technique utilized. (Other examples seen in the landscape include vulnerable drivers associated with Akira/Darter).
- **KillAV:** A tool specifically designed to deploy vulnerable drivers to neutralize security processes.
- **INC Ransomware (Warble):** The group potentially linked through tool usage patterns.
- **Mimikatz** (Used with a consistent filename `kaz.exe`).
- **Rclone** (Used for exfiltration).