The Osiris ransomware family, first observed in November 2025 targeting a major food service franchisee in Southeast Asia, represents a new strain unrelated to previous ransomware named Osiris. Its hallmark is the use of a custom malicious driver called POORTRY, deployed as part of a BYOVD attack to disable endpoint security solutions by elevating privileges and terminating security processes. Unlike traditional BYOVD attacks that leverage legitimate but vulnerable drivers, POORTRY is bespoke, designed specifically for privilege escalation and security evasion. The ransomware uses a hybrid encryption scheme with unique keys per file, allowing precise targeting of files and folders while terminating processes related to Microsoft Office, Exchange, backup solutions like Veeam, and system utilities such as Volume Shadow Copy. Prior to encryption, attackers exfiltrate sensitive data using Rclone to Wasabi cloud buckets, indicating a double extortion tactic. The attack chain also involves dual-use tools like Netscan, Netexec, MeshAgent, and a custom Rustdesk remote desktop client, facilitating reconnaissance, lateral movement, and persistence. KillAV, a known tool for deploying vulnerable drivers to disable antivirus, was also used alongside enabling RDP for remote access. Indicators suggest possible ties to the INC ransomware group, based on reused tools and filenames. The attack reflects evolving ransomware tactics emphasizing evasion, modularity, and data theft. While no known exploits are currently reported in the wild for this strain, the sophisticated use of BYOVD and living-off-the-land tools highlights a significant threat vector. The ransomware landscape continues to evolve with new strains like Osiris adopting advanced techniques to bypass defenses and maximize impact.

For European organizations, Osiris ransomware presents a multifaceted threat. The use of a custom driver to disable security software complicates detection and response, potentially allowing the ransomware to encrypt critical business data and disrupt operations. The ability to terminate backup and recovery services increases the risk of permanent data loss or extended downtime. The exfiltration of sensitive data prior to encryption raises the stakes by enabling double extortion, threatening confidentiality and regulatory compliance, especially under GDPR. The attack's reliance on enabling RDP and use of dual-use tools suggests that organizations with exposed or weakly secured remote access are at heightened risk. Industries with critical infrastructure, food service, and supply chain roles in Europe could face operational disruptions and reputational damage. The medium severity rating reflects the ransomware's potential to impact confidentiality, integrity, and availability, though exploitation requires initial access and some user or administrator interaction. The evolving ransomware ecosystem in Europe, combined with geopolitical tensions and increased targeting of supply chains, underscores the importance of vigilance against such threats.

European organizations should implement a layered defense strategy tailored to the specific tactics used by Osiris ransomware. First, restrict and monitor RDP access rigorously by enforcing multi-factor authentication, limiting access to known IP addresses, and disabling RDP if not required. Deploy application allowlisting to prevent unauthorized drivers and executables, particularly monitoring for unsigned or unknown kernel-mode drivers like POORTRY. Enhance endpoint detection and response (EDR) capabilities to identify and block BYOVD techniques and anomalous driver loading. Regularly audit and harden backup solutions and ensure backups are immutable and stored offline or offsite to prevent tampering. Monitor network traffic for unusual data exfiltration activities, especially connections to cloud storage services like Wasabi. Employ threat hunting focused on dual-use tools such as Netscan, Netexec, MeshAgent, and custom remote desktop software. Conduct regular privilege audits to minimize excessive permissions that could be exploited for privilege escalation. Finally, maintain up-to-date threat intelligence sharing within European cybersecurity communities to detect emerging variants and tactics promptly.