Close Menu
Cybercrime and Ransomware

Osiris Ransomware Exploits Living Off the Land and Dual-Use Tools in Attacks

Staff WriterBy No Comments4 Mins Read3 Views

Quick Takeaways

  1. A new ransomware family called Osiris targeted a Southeast Asian food company in November 2025, utilizing advanced tactics and a diverse toolkit to infiltrate networks.
  2. The attack involved sophisticated techniques such as bringing-your-own-vulnerable-driver (BYOVD) methods with a custom driver called Poortry to disable security defenses at kernel level.
  3. Osiris employed a hybrid encryption approach (ECC and AES-128-CTR) and employed tactics like data exfiltration via Rclone, while deleting backups and volume snapshots to hinder recovery.
  4. The operation demonstrated a high level of sophistication, combining legitimate utilities with custom malware, indicating an experienced threat group leveraging dual-use tools and complex attack chains.

Underlying Problem

In November 2025, a new ransomware family called Osiris launched a sophisticated attack against a major food service company in Southeast Asia. Security researchers confirmed that Osiris is a completely new malware variant, unrelated to earlier ransomware from 2016, signaling a troubling escalation in cyber threats targeting critical infrastructure. The attackers used a combination of legitimate Windows utilities and custom malicious tools, such as the credential extractor Mimikatz and Rclone for data theft, to infiltrate the network. They exploited a new malicious driver called Poortry—designed to impersonate legitimate software—to bypass security defenses through a technique known as a bring-your-own-vulnerable-driver attack, which allows the threat actors to disable endpoint protections at the kernel level.

The incident was uncovered by Symantec analysts, who observed technical similarities to previous Inc campaigns, including the use of similar filenames and data exfiltration methods. The hackers targeted backup systems, deleted snapshots, and encrypted files with advanced hybrid cryptography, demonstrating their high level of sophistication. Additionally, they maintained access using tools like Rustdesk disguised as WinZip, further complicating detection efforts. This attack highlights the increasing complexity and resourcefulness of cybercriminal groups, showcasing their ability to blend common tools with custom malware to evade detection and cause maximum disruption. The security community continues to investigate these techniques to better understand and counter such emerging threats.

Potential Risks

The rise of Osiris ransomware, which leverages a wide range of living off the land and dual-use tools, poses a serious threat to any business. Such attacks can bypass traditional security measures because they use legitimate system tools built into the operating system, making detection difficult. If your business falls victim, it can lead to encrypted files, operational downtime, and data loss. Furthermore, attackers often demand hefty ransoms, potentially causing significant financial harm. These breaches can also damage your reputation, eroding customer trust and confidence. Consequently, without proper defenses, any business, regardless of size or industry, faces the risk of costly disruption and long-term harm.

Possible Next Steps

Timely remediation is crucial in addressing the threat posed by New Osiris Ransomware, especially given its sophisticated use of living off the land (LotL) and dual-use tools, which can rapidly compromise networks and escalate damage if not swiftly contained. Rapid response minimizes downtime, limits data loss, and prevents attackers from establishing persistence within the network.

Mitigation Strategies

  • Continuous Monitoring: Implement real-time network and endpoint monitoring to detect suspicious activities associated with LotL tools and dual-use software.

  • User Education: Regularly train staff to recognize phishing attempts and malicious behaviors that could introduce or facilitate ransomware deployment.

  • Privilege Management: Enforce least privilege access controls to restrict the use of enhanced permissions that could be exploited by attackers.

  • Application Whitelisting: Use strict application control policies to prevent unauthorized or malicious tools from executing.

  • Patch Management: Keep all systems updated with current patches to close vulnerabilities that adversaries could exploit with dual-use tools.

Remediation Steps

  • Incident Response Plan Activation: Immediately follow a pre-established plan to contain and investigate the ransomware incident.

  • Isolation: Disconnect affected systems from the network to prevent lateral movement and further infection.

  • Root Cause Analysis: Identify how the malware entered the system and which tools were used to facilitate the attack.

  • Restore from Backup: Recover encrypted or compromised data from verified, clean backups to restore operations efficiently.

  • Post-Incident Review: Conduct a thorough analysis to improve defenses, update policies, and reinforce awareness to prevent future attacks.

Advance Your Cyber Knowledge

Explore career growth and education via Careers & Learning, or dive into Compliance essentials.

Understand foundational security frameworks via NIST CSF on Wikipedia.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1cyberattack-v1-multisource

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.