Osiris Ransomware Uses Custom Driver to Kill Security Tools

A previously undocumented ransomware family called Osiris surfaced in a November 2025 attack against a Southeast Asian food service company. The operators deployed a custom malicious driver to terminate security software before encrypting systems—a technique that's becoming the default approach for professional ransomware crews.

Security researchers analyzing the intrusion found evidence suggesting the attackers may have ties to the Inc ransomware operation. If that connection holds, Osiris represents a rebranding or spinoff rather than a genuinely new threat group.

The BYOVD Attack

Bring-your-own-vulnerable-driver (BYOVD) attacks exploit the trust Windows places in signed kernel drivers. Normally, ransomware operators load a legitimate driver with known vulnerabilities, then exploit those flaws to gain kernel access. The Osiris operators took a different approach.

Instead of abusing a vulnerable legitimate driver, they deployed POORTRY—a custom-built driver designed specifically for privilege escalation and terminating security processes. POORTRY operates at kernel level, giving it the access needed to kill endpoint detection and response (EDR) tools before they can flag the ransomware activity.

The attackers also used KillAV, a tool purpose-built for deploying vulnerable drivers and terminating security software. Between POORTRY and KillAV, the operators could neutralize most endpoint protection products before beginning encryption.

Microsoft has added detection for this threat as Ransom:Win64/Osiris.YBG!MTB.

Attack Chain

The Osiris intrusion followed a pattern familiar to anyone who tracks ransomware operations:

Data Exfiltration: Before encryption, attackers used Rclone to steal data to Wasabi cloud storage buckets. Exfiltration occurred several days before ransomware deployment—typical for modern double-extortion operations.

Reconnaissance and Movement: The operators deployed Netscan and Netexec for network discovery. MeshAgent provided remote access capabilities.

Persistence: A modified version of RustDesk, disguised as "WinZip Remote Desktop," gave attackers ongoing access. The custom branding represents basic but effective detection evasion.

Encryption: Osiris uses a hybrid encryption scheme combining ECC and AES-128-CTR, with unique keys generated per file. The malware terminates specific processes before encrypting—Microsoft Office, Exchange, Firefox, Notepad, Volume Shadow Copy, and Veeam backup services.

Links to Inc Ransomware

Researchers found operational overlaps suggesting a connection to Inc ransomware (also tracked as Warble). The evidence includes the use of Wasabi for exfiltration, consistent with Inc operations, and a Mimikatz variant with the identical filename (kaz.exe) previously observed in Inc attacks.

These indicators don't prove shared operators, but they suggest at minimum that whoever runs Osiris learned from Inc's playbook—or worked directly on Inc campaigns before launching their own operation.

For context on how ransomware groups evolve and rebrand, we've previously covered the broader landscape of ransomware operations and the tactics these groups employ. Osiris fits the pattern of professionalization that's made ransomware the dominant cybercriminal business model.

BYOVD as the New Normal

BYOVD has become the default technique for defense evasion among professional ransomware operators. Signed drivers bypass Windows security controls, and kernel access lets attackers terminate security tools that would otherwise detect and block encryption.

The PDFSider campaign we covered recently demonstrated similar sophisticated techniques in service of Qilin ransomware deployment. Ransomware crews are investing heavily in their ability to defeat endpoint protection.

Organizations relying solely on EDR face a strategic disadvantage. Defense-in-depth matters: driver allowlisting, behavioral monitoring for kernel callbacks, application control policies, and network segmentation all contribute to detection and containment.

Mitigations

1. Implement driver allowlisting. Restricting which drivers can load makes BYOVD attacks significantly harder.

2. Monitor for anomalous RustDesk usage. The custom variant used in this attack can be detected through behavioral analysis even when disguised.

3. Audit loaded drivers. Tools like DriverQuery can identify suspicious drivers. Block known POORTRY signatures in EDR policies.

4. Enable Microsoft's driver blocklist. Microsoft maintains a list of known-vulnerable drivers that Windows can refuse to load.

5. Maintain offline backups. Osiris specifically terminates Veeam services—attackers know which backup solutions to target.

6. Segment backup infrastructure. Backups accessible from production networks aren't backups; they're future ransomware victims.

Organizations should review our ransomware defense guide for foundational protection strategies that address the full ransomware kill chain.