Key Takeaways:
- A new ransomware family called Osiris has been discovered, which uses a hybrid encryption scheme and a unique encryption key for each file.
- The ransomware leverages a malicious driver called POORTRY to disarm security software, and is believed to be linked to the INC ransomware (aka Warble).
- The attack on a major food service franchisee operator in Southeast Asia involved the exfiltration of sensitive data using Rclone to a Wasabi cloud storage bucket prior to the ransomware deployment.
- The most active ransomware players in 2025 included Akira, Qilin, Play, INC, and LockBit, among others.
- To protect against targeted attacks, organizations are advised to monitor the use of dual-use tools, restrict access to RDP services, enforce multi-factor authentication (2FA), and implement off-site storage of backup copies.
Introduction to Osiris Ransomware
Cybersecurity researchers have disclosed details of a new ransomware family called Osiris that targeted a major food service franchisee operator in Southeast Asia in November 2025. The attack leveraged a malicious driver called POORTRY as part of a known technique referred to as bring your own vulnerable driver (BYOVD) to disarm security software. The Symantec and Carbon Black Threat Hunter Team said that Osiris is assessed to be a brand-new ransomware strain, sharing no similarities with another variant of the same name that emerged in December 2016 as an iteration of the Locky ransomware.
Attack Vector and Techniques
The attack on the food service franchisee operator involved the exfiltration of sensitive data using Rclone to a Wasabi cloud storage bucket prior to the ransomware deployment. The attackers also utilized a number of dual-use tools like Netscan, Netexec, and MeshAgent, as well as a custom version of the Rustdesk remote desktop software. POORTRY is a little different from traditional BYOVD attacks in that it uses a bespoke driver expressly designed for elevating privileges and terminating security tools, as opposed to deploying a legitimate-but-vulnerable driver to the target network. The attackers also deployed KillAV, a tool used to deploy vulnerable drivers for terminating security processes, and enabled RDP on the network, likely to provide themselves with remote access.
Osiris Ransomware Characteristics
Osiris is described as an "effective encryption payload" that’s likely wielded by experienced attackers. It makes use of a hybrid encryption scheme and a unique encryption key for each file, and is flexible in that it can stop services, specify which folders and extensions need to be encrypted, terminate processes, and drop a ransom note. By default, it’s designed to kill a long list of processes and services related to Microsoft Office, Exchange, Mozilla Firefox, WordPad, Notepad, Volume Shadow Copy, and Veeam, among others.
Ransomware Landscape
The development comes as ransomware remains a significant enterprise threat, with the landscape constantly shifting as some groups close their doors and others quickly rise from their ashes or move in to take their place. According to an analysis of data leak sites by Symantec and Carbon Black, ransomware actors claimed a total of 4,737 attacks during 2025, up from 4,701 in 2024, a 0.8% increase. The most active players during the past year were Akira, Qilin, Play, INC, SafePay, RansomHub, DragonForce, Sinobi, Rhysida, and CACTUS.
Notable Ransomware Developments
Some of the other notable developments in the space include the use of vulnerable Throttlestop drivers by Akira ransomware actors to sideload the Bumblebee loader in attacks observed in mid-to-late 2025. Akira ransomware campaigns have also exploited SonicWall SSL VPNs to breach small- to medium-sized business environments during mergers and acquisitions and ultimately obtain access to the bigger, acquiring enterprises. LockBit, which partnered with DragonForce and Qilin in October 2025, has continued to maintain its infrastructure despite a law enforcement operation to shut down its operations in early 2024.
New Ransomware Operations
A new RaaS operation dubbed Sicarii has claimed only one victim since it first surfaced in late 2025. While the group explicitly identifies itself as Israeli/Jewish, analysis has uncovered that underground online activity is primarily carried out in Russian and that the Hebrew content shared by the threat actor contains grammatical and semantic errors. This has raised the possibility of a false flag operation. The threat actor known as Storm-2603 has been observed leveraging the legitimate Velociraptor digital forensics and incident response (DFIR) tool as part of precursor activity leading to the deployment of Warlock, LockBit, and Babuk ransomware.
Ransomware Attack Trends
Entities in India, Brazil, and Germany have been targeted by Makop ransomware attacks that exploit exposed and insecure RDP systems to stage tools for network scanning, privilege escalation, disabling security software, credential dumping, and ransomware deployment. Ransomware attacks have also obtained initial access using already-compromised RDP credentials to perform reconnaissance, privilege escalation, lateral movement via RDP, followed by exfiltrating data to temp[.]sh on day six of the intrusion and deploying Lynx ransomware three days later. A security flaw in the encryption process associated with the Obscura ransomware has been found to render large files unrecoverable.
Conclusion and Recommendations
To protect against targeted attacks, organizations are advised to monitor the use of dual-use tools, restrict access to RDP services, enforce multi-factor authentication (2FA), use application allowlisting where applicable, and implement off-site storage of backup copies. While attacks involving encrypting ransomware remain as prevalent as ever and still pose a threat, the advent of new types of encryptionless attacks adds another degree of risk, creating a wider extortion ecosystem of which ransomware may become just one component. Symantec and Carbon Black recommend that organizations stay vigilant and take proactive measures to protect themselves against the evolving ransomware threat landscape.