Osiris is a recently observed ransomware variant first detected in a targeted attack against a major food service franchisee operator in Southeast Asia in November 2025. It shares notable similarities with the Inc ransomware family, including the use of Wasabi cloud storage buckets for exfiltrating stolen data and a specialized version of Mimikatz for credential harvesting. The ransomware employs a hybrid encryption scheme, encrypting victim files and dropping ransom notes to demand payment. The attack chain is complex, involving data exfiltration via Rclone, deployment of dual-use tools, and the use of a malicious kernel-mode driver named Abyssworker or Poortry. These drivers are leveraged through bring-your-own-vulnerable-driver (BYOVD) techniques, allowing attackers to disable or bypass security software by exploiting legitimate but vulnerable signed drivers. The attackers also use advanced tactics such as process injection, persistence via service creation, obfuscation, and credential dumping, as indicated by the referenced MITRE ATT&CK techniques (e.g., T1055, T1543.003, T1003.001). The presence of these sophisticated tools and methods suggests the threat actors behind Osiris are experienced and possibly affiliated with or inspired by the Inc ransomware group or its affiliates. Although the ransomware’s broader impact remains uncertain, its use of cloud-based exfiltration and kernel driver exploitation represents a significant evolution in ransomware tactics, complicating detection and mitigation efforts.

For European organizations, Osiris poses a significant threat, particularly to sectors with extensive supply chains and customer-facing operations such as food service, hospitality, and logistics. The ransomware’s ability to exfiltrate data to cloud storage before encryption increases the risk of data breaches and regulatory penalties under GDPR. The use of BYOVD techniques to disable security software can render traditional endpoint protections ineffective, increasing the likelihood of successful compromise and prolonged dwell time. Credential theft capabilities facilitate lateral movement and privilege escalation, potentially allowing attackers to compromise multiple systems and disrupt business continuity. The hybrid encryption scheme and ransom demands can cause operational downtime, financial losses, and reputational damage. Organizations relying on vulnerable signed drivers or lacking robust cloud monitoring are particularly at risk. Given the sophistication of the attack chain, incident response and recovery may require significant resources and expertise.

European organizations should implement targeted measures to mitigate Osiris ransomware risks. First, conduct thorough inventories of all signed drivers in use and apply strict whitelisting to prevent loading of vulnerable or unauthorized drivers, mitigating BYOVD exploitation. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting suspicious driver behavior and process injection techniques. Monitor outbound network traffic for unusual connections to cloud storage services such as Wasabi, and implement strict controls and logging on cloud storage access. Harden credential management by enforcing multi-factor authentication, limiting administrative privileges, and monitoring for credential dumping activities. Regularly update and patch all software, including drivers, to reduce vulnerabilities. Conduct phishing awareness training to reduce the risk of initial infection via social engineering (T1204.002). Establish robust backup and recovery procedures, ensuring backups are isolated and immutable to prevent ransomware encryption. Finally, integrate threat intelligence feeds to detect emerging indicators related to Osiris and related Inc ransomware activity.