Osiris: New Ransomware, Experienced Attackers?
Essential information
- Published
- 23/01/2026 10:08
- Modified
- 23/01/2026 10:33
- Tags
- 2026-01-23 abyssworker byovd food service inc ransomware killav mimikatz osiris poortry ransomware rustdesk southeast asia wasabi
- Related entities
- 17 observables, 1 intrusion sets (apt), 10 techniques (mitre), 6 malware, 3 others
Description
A new ransomware called Osiris was used in an attack on a major food service franchisee operator in Southeast Asia in November 2025. The ransomware shares similarities with previous Inc ransomware attacks, including the use of Wasabi buckets for data exfiltration and a specific version of Mimikatz. Osiris has typical ransomware functions, uses a hybrid encryption scheme, and drops a ransom note. The attack chain involved data exfiltration using Rclone, deployment of dual-use tools, and the use of a malicious driver called Abyssworker or Poortry. The attackers employed bring-your-own-vulnerable-driver (BYOVD) techniques to disable security software. While the impact of Osiris on the ransomware landscape remains uncertain, it appears to be wielded by experienced attackers with potential links to Inc ransomware or its affiliates.