Regions Targeted: Southeast Asia
Related Families: Inc
Key Takeaways
What is Osiris?
The ransomware itself demonstrates a mature and well thought out design. Osiris employs a hybrid encryption scheme combining ECC with AES-128-CTR, generating a unique AES key for each encrypted file. Encryption can be performed in two modes: partial (head) or full, controlled via command-line parameters. The ransomware deliberately avoids encrypting critical system files and folders and excludes a long list of file extensions commonly associated with executables, libraries, and media files.
After encryption, affected files receive the .Osiris extension. The ransomware deletes Volume Shadow Copies and is capable of terminating a wide range of processes and services, especially database, backup, mail, office, and browser-related processes, in order to maximize impact and hinder recovery.
Command-line flexibility is relatively high, allowing operators to specify individual files or paths for encryption, control logging, selectively disable or skip Hyper-V virtual machines, and choose between partial and full encryption modes.
The attack chain shows clear signs of experienced operators. Several days before ransomware deployment, attackers performed data exfiltration using Rclone to Wasabi cloud storage buckets, a technique previously observed in multiple Inc ransomware intrusions. The attackers also reused a specific Mimikatz variant previously used by Inc operators, strengthening the hypothesis of direct operational continuity or strong knowledge transfer from the Inc ransomware ecosystem.
Living-off-the-land and dual-use tooling was heavily utilized, including Netscan, Netexec, and MeshAgent. A custom-modified version of the legitimate Rustdesk remote access tool was deployed. The binary was altered to masquerade as “WinZip Remote Desktop” in a clear attempt to evade detection and blend into normal administrative activity.
Most notably, the attackers brought their own vulnerable driver, known as Abyssworker or Poortry, which was almost certainly used to perform a bring-your-own-vulnerable-driver (BYOVD) attack to disable endpoint security products. Poortry has been seen before, notably in several Medusa ransomware campaigns, but is somewhat unusual in that it appears to be a driver custom-developed by attackers that was subsequently signed, rather than the more common practice of abusing legitimate signed vulnerable drivers.
The overall picture that emerges is of a well-resourced and experienced threat actor, very likely previously associated with Inc ransomware operations, introducing a technically capable new ransomware family to the ecosystem. The combination of sophisticated encryption, aggressive defense evasion using a signed malicious driver, careful living-off-the-land usage, and clear tactical and artifact overlap with Inc strongly suggests that seasoned ransomware operators are behind Osiris. PolySwarm analysts consider Osiris to be an emerging threat.
IOCs
PolySwarm has multiple samples associated with this activity.
44748c22baec61a0a3bd68b5739736fa15c479a3b28c1a0f9324823fc4e3fe34
44e007741f7650d1bd04cca3cd6dfd4f32328c401f95fb2d6d1fafce624cc99e
5bd82a1b2db1bdc8ff74cacb53823edd8529dd9311a4248a86537a5b792939f8
8c378f6200eec750ed66bde1e54c29b7bd172e503a5874ca2eead4705dd7b515
c189595c36996bdb7dce6ec28cf6906a00cbb5c5fe182e038bf476d74bed349e
d78f7d9b0e4e1f9c6b061fb0993c2f84e22c3e6f32d9db75013bcfbba7b64bc3
Click here to view all samples of Osiris in our PolySwarm portal.
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.