Osiris: New Ransomware Family Hits Southeast Asia

ICS Labs’ CTI identified activity from a new ransomware family named Osiris, observed in a targeted attack against a major food industry franchise operator in Southeast Asia in November 2025. Analyses indicate that this ransomware is possibly operated by experienced threat actors.

Threat Overview

The Osiris ransomware exhibits advanced capabilities typical of modern ransomware operations, including:

• Interruption of critical services and processes

• Deletion of snapshots

• Selective file and directory encryption

• Use of hybrid encryption (ECC + AES-128-CTR)

  
  

Use of the malicious driver Poortry (Abyssworker) was observed, known for BYOVD attacks and previously associated with Medusa ransomware operations. In addition to the technical capabilities of the payload, the campaign stands out due to a clear overlap of tactics, techniques, and procedures (TTPs) with attacks previously attributed to the Inc ransomware group. Key points of convergence include data exfiltration to Wasabi cloud storage buckets and the use of a Mimikatz variant with the same filename (kaz.exe), already observed in campaigns by that group.

Furthermore, the attackers used legitimate tools such as Netscan, Rclone, Rustdesk, and RDP for lateral movement and data exfiltration. The use of KillAV for terminating security processes was also identified.

Recommended Actions

• Monitor and block unauthorized use of tools such as Rclone

• Restrict and audit the use of kernel drivers

• Apply Application Control policies

• Review RDP permissions and exposure

• Enable alerts for the use of credential dumping tools (e.g., Mimikatz)

Hardening and Protection Measures

• Implement protection against BYOVD (blocking vulnerable drivers)

• Maintain EDR/XDR with kernel-level protection

• Apply the principle of least privilege

• Segment the network to reduce lateral movement impact

• Perform regular and verified offline backups

• Monitor the use of tools that may be repurposed for malicious activities

IOCs

Latest Updates

• November 2025: The new Osiris ransomware was used in an attack against a major food company in Southeast Asia.

• January 22, 2026: Websites such as The Hacker News and Security.com report on the ransomware and release technical details about the exploitation.a.