New Osiris Ransomware Strain Emerges Using POORTRY Driver in BYOVD Attacks

The Rebirth of Osiris: A Brand New Threat

Cybersecurity researchers have uncovered a sophisticated new ransomware family dubbed Osiris. While the name may sound familiar to long-time researchers, this 2026 strain shares no code with the 2016 Locky variant. First detected targeting a major food service franchisee in Southeast Asia, Osiris represents a significant evolution in ransomware tactics, specifically focusing on disabling endpoint protection before encryption begins.

Technical Deep-Dive: The BYOVD Attack and POORTRY Driver

The standout feature of Osiris is its use of a Bring Your Own Vulnerable Driver (BYOVD) attack. In this scenario, the ransomware drops a malicious or legitimate-but-vulnerable driver to gain kernel-level privileges. The Osiris attackers utilized a bespoke driver named POORTRY.

• Kernel-Level Access: By operating at the Ring 0 (kernel) level, the POORTRY driver can terminate security processes (EDR/Antivirus) that would normally block ransomware activity.
• KillAV Tools: The attackers deployed a specialized tool called "KillAV" to manage these drivers and systematically disarm the victim's defenses.
• Elevation of Privilege: Unlike traditional malware that stays in "User Mode," Osiris uses the driver to override system permissions, making it nearly impossible to stop once the driver is active.

Connection to INC Ransomware (Warble)

Evidence gathered by Symantec and Carbon Black points toward a potential link between Osiris and the INC Ransomware group. Researchers discovered that Osiris used a custom version of Mimikatz (named kaz.exe) that was identical to versions used in previous INC attacks. Furthermore, the exfiltration patterns—specifically the use of Wasabi cloud storage buckets—mirror the infrastructure typically used by INC affiliates.

Encryption and Exfiltration Tactics

Before any encryption took place, the threat actors spent days inside the network performing reconnaissance and data theft. Key tools used in the campaign include:

• Rclone: Used to exfiltrate sensitive data to Wasabi buckets prior to locking the system.
• Hybrid Encryption: Osiris uses a unique encryption key for every single file, making decryption without the master key mathematically impossible.
• Process Termination: By default, it kills services related to Microsoft Office, SQL Server, Exchange, and backup solutions like Veeam to ensure no files are "in use" and cannot be skipped during encryption.

The Broader Ransomware Landscape in 2026

The Osiris emergence is part of a broader trend where ransomware groups are becoming more modular. Groups like Akira are now using Bumblebee loaders, while LockBit 5.0 has moved to a two-stage deployment model to maximize evasion. Kian Technologies observes that 2025 recorded over 4,700 major ransomware attacks, a trend that is only intensifying in 2026.

Defensive Strategies for Enterprises

To defend against BYOVD and Osiris-style attacks, Kian Technologies recommends the following security posture:

• Driver Blocklisting: Enable Microsoft’s vulnerable driver blocklist to prevent known-vulnerable drivers from loading.
• Monitor Dual-Use Tools: Set alerts for the unauthorized use of Rclone, Netscan, and MeshAgent within your environment.
• RDP Hardening: Disable RDP where unnecessary and enforce Phishing-Resistant MFA for all remote access.
• Immutable Backups: Ensure backups are stored off-site and in an "immutable" format that cannot be deleted or encrypted by ransomware.

Conclusion

The Osiris ransomware campaign highlights that attackers are no longer just trying to "hide" from antivirus; they are actively "killing" it. As the extortion ecosystem expands, organizations must shift from simple detection to a Zero Trust architecture that assumes the perimeter has already been breached.

Become a Malware Analysis Expert As hackers switch to modern languages like Golang to build evasive tools, the industry needs experts who can deconstruct and stop these threats. Join the Best Ethical Hacking Institute in Bhilai & Raipur: Learn Malware Analysis, Reverse Engineering, and Advanced Threat Hunting. Enroll now to start your journey in Cybersecurity!