Security researchers uncover a novel ransomware strain called Osiris using custom POORTRY drivers in BYOVD attacks to disable security tools, with links to previous INC ransomware operations.
Cybersecurity teams at Symantec and Carbon Black have identified a previously undocumented ransomware variant named Osiris actively targeting organizations in Southeast Asia. Unlike the 2016 ransomware of the same name, this new strain employs sophisticated techniques including a custom POORTRY driver for Bring Your Own Vulnerable Driver (BYOVD) attacks. This approach allows threat actors to bypass endpoint security by exploiting trusted driver mechanisms to terminate defensive processes.
Technical Execution and Attack Chain
The attack begins with data exfiltration using Rclone to Wasabi cloud storage buckets, followed by deployment of dual-use tools including Netscan, Netexec, MeshAgent, and a modified Rustdesk client. The POORTRY driver—specifically crafted for malicious purposes rather than repurposing legitimate vulnerable drivers—executes privilege escalation and systematically disables security services. Osiris then activates its hybrid encryption engine, which generates unique keys per file and terminates processes related to:
- Microsoft Office, Exchange, and Volume Shadow Copy
- Veeam backup solutions
- Firefox, Notepad, and other common applications
Researchers found tactical overlaps with INC ransomware operations, including identical Mimikatz filenames (kaz.exe) and exfiltration patterns. "The combination of living-off-the-land techniques and a purpose-built driver suggests experienced attackers familiar with evasion tactics," states the Symantec and Carbon Black Threat Hunter Team report.
Evolving Ransomware Landscape
The discovery coincides with a 0.8% year-over-year increase in ransomware attacks (4,737 incidents in 2025). Notable trends include:
- Akira ransomware exploiting SonicWall VPN vulnerabilities during mergers/acquisitions
- LockBit 5.0 adopting a two-stage deployment model separating loader from payload
- Makop attacks using GuLoader for first-stage delivery alongside BYOVD drivers
- Obscura ransomware rendering files >1GB permanently unrecoverable due to encryption flaws
Critical Defensive Measures
Organizations should implement these countermeasures based on observed TTPs:
- Restrict RDP access: Enforce network-level controls and MFA for remote access
- Monitor dual-use tools: Flag unexpected usage of Netscan, Netexec, Rclone, or Rustdesk
- Driver control policies: Block unauthorized driver installations via application allowlisting
- Backup resilience: Maintain offline, geographically separated backups with immutable storage
- Endpoint hardening: Deploy solutions that detect driver-based privilege escalation attempts
"While encryption remains prevalent, attackers increasingly blend data theft, loader techniques, and encryptionless extortion," warns the research team. Proactive monitoring of driver-level activity and cloud exfiltration paths is now essential against evolving ransomware ecosystems.
Comments
Please log in or register to join the discussion