A new ransomware family called Osiris has emerged in a high‑profile attack against a Southeast Asian food service franchisee, first spotted in November 2025. According to Threat Hunter Team (Symantec and Carbon Black), Osiris deploys a sophisticated arsenal of “living off the land” tools and malicious drivers to disrupt its victim’s operations, including a BYOVD‑style driver masquerading as legitimate antivirus software.
Investigators note that while the name Osiris echoes a 2016 ransomware family, this threat appears to be a distinct and entirely new ransomware family with its own toolset. The attack chain shows potential links—or at least shared tradecraft—with the Inc ransomware group, including data exfiltration via Rclone to a Wasabi cloud storage bucket and the use of a Mimikatz variant named kaz[.]exe that was previously used by Inc operators.
Osiris also employs Poortry, a driver previously favoured by Medusa ransomware, and enforces a hybrid encryption scheme of ECC + AES‑128‑CTR to encrypt files, preceded by the termination of critical processes such as SQL and Oracle databases and common productivity apps. The ransom note is titled Osiris-MESSAGE[.]txt and directs victims to a negotiation chat.
According to the report, the impact of Osiris on the ransomware landscape remains to be seen, but its sophisticated toolset suggests experienced attackers are wielding it.