Osiris: New Ransomware, Experienced Attackers?

A newly identified Osiris ransomware family was used in November 2025 to target a major food-service franchisee in Southeast Asia; analysis by Symantec/Carbon Black describes its hybrid ECC+AES-128-CTR encryption, file- and service-targeting capabilities, VSS deletion, ransom note, and extensive use of living-off-the-land and dual-use tooling. The attackers exfiltrated data to Wasabi using Rclone, deployed a signed vulnerable driver (Poortry/Abyssworker) consistent with BYOVD techniques to disable security, used a Mimikatz binary named kaz.exe, and leveraged RMM/remote access tools—IoCs and hashes are provided and potential links to Inc and Medusa-associated activity are noted.