The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Osiris Ransomware

Jan 30, 2026 12:41:59 PM / by The Hivemind

OSIRIS2026Verticals Targeted: Food & Beverage
Regions Targeted: Southeast Asia
Related Families: Inc

Executive Summary

A new ransomware family named Osiris was deployed in November 2025 against a major food service franchisee operator in Southeast Asia. Strong tactical and tooling similarities, particularly the reuse of specific Mimikatz filenames and Wasabi cloud exfiltration, strongly suggest that experienced actors previously associated with Inc ransomware operations are behind this new family.

Key Takeaways

  • The campaign involved deployment of a custom-signed malicious driver (Abyssworker / Poortry) most likely used for BYOVD defense evasion techniques.
  • Researchers noted use of a heavily modified Rustdesk binary masquerading as WinZip Remote Desktop.
  • Evidence exists of clear tactical and artifact overlap with previous Inc ransomware operations.
  • Osiris is a very capable hybrid encryption ransomware using ECC + AES-128-CTR with per-file keys and flexible encryption modes.

What is Osiris?

In November 2025, a previously unseen ransomware family called Osiris was used in a targeted attack against a major food service franchisee operator in Southeast Asia. While the name Osiris was previously used by a 2016 Locky variant, current analysis shows no code or operational relationship with that older family. Symantec and Carbon Black recently reported on this new Osiris ransomware. 

The ransomware itself demonstrates a mature and well thought out design. Osiris employs a hybrid encryption scheme combining ECC with AES-128-CTR, generating a unique AES key for each encrypted file. Encryption can be performed in two modes: partial (head) or full, controlled via command-line parameters. The ransomware deliberately avoids encrypting critical system files and folders and excludes a long list of file extensions commonly associated with executables, libraries, and media files.

After encryption, affected files receive the .Osiris extension. The ransomware deletes Volume Shadow Copies and is capable of terminating a wide range of processes and services,  especially database, backup, mail, office, and browser-related processes, in order to maximize impact and hinder recovery.

Command-line flexibility is relatively high, allowing operators to specify individual files or paths for encryption, control logging, selectively disable or skip Hyper-V virtual machines, and choose between partial and full encryption modes.

The attack chain shows clear signs of experienced operators. Several days before ransomware deployment, attackers performed data exfiltration using Rclone to Wasabi cloud storage buckets, a technique previously observed in multiple Inc ransomware intrusions. The attackers also reused a specific Mimikatz variant previously used by Inc operators, strengthening the hypothesis of direct operational continuity or strong knowledge transfer from the Inc ransomware ecosystem.

Living-off-the-land and dual-use tooling was heavily utilized, including Netscan, Netexec, and MeshAgent. A custom-modified version of the legitimate Rustdesk remote access tool was deployed. The binary was altered to masquerade as “WinZip Remote Desktop” in a clear attempt to evade detection and blend into normal administrative activity.

Most notably, the attackers brought their own vulnerable driver, known as Abyssworker or Poortry, which was almost certainly used to perform a bring-your-own-vulnerable-driver (BYOVD) attack to disable endpoint security products. Poortry has been seen before, notably in several Medusa ransomware campaigns, but is somewhat unusual in that it appears to be a driver custom-developed by attackers that was subsequently signed, rather than the more common practice of abusing legitimate signed vulnerable drivers.

The overall picture that emerges is of a well-resourced and experienced threat actor, very likely previously associated with Inc ransomware operations, introducing a technically capable new ransomware family to the ecosystem. The combination of sophisticated encryption, aggressive defense evasion using a signed malicious driver, careful living-off-the-land usage, and clear tactical and artifact overlap with Inc strongly suggests that seasoned ransomware operators are behind Osiris. PolySwarm analysts consider Osiris to be an emerging threat. 

IOCs

PolySwarm has multiple samples associated with this activity.

 

44748c22baec61a0a3bd68b5739736fa15c479a3b28c1a0f9324823fc4e3fe34

44e007741f7650d1bd04cca3cd6dfd4f32328c401f95fb2d6d1fafce624cc99e

5bd82a1b2db1bdc8ff74cacb53823edd8529dd9311a4248a86537a5b792939f8

8c378f6200eec750ed66bde1e54c29b7bd172e503a5874ca2eead4705dd7b515

c189595c36996bdb7dce6ec28cf6906a00cbb5c5fe182e038bf476d74bed349e

d78f7d9b0e4e1f9c6b061fb0993c2f84e22c3e6f32d9db75013bcfbba7b64bc3


Click here to view all samples of Osiris in our PolySwarm portal.

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Emerging Threat, Wasabi exfiltration, new ransomware family, Inc ransomware links, Poortry driver, BYOVD attack, Osiris ransomware, Rustdesk modification

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More