Threats Tagged 'abyssworker'

This analysis explores the ecosystem of EDR (Endpoint Detection and Response) killers, tools used by ransomware attackers to disrupt security solutions before deploying encryptors. The research, based on almost 90 EDR killers tracked in the wild, reveals that these tools are fundamental in modern ransomware operations. Affiliates, not operators, typically choose EDR killers, leading to greater tooling diversity in larger affiliate pools. The same vulnerable driver can appear in unrelated tools, and tools can switch between drivers, making driver-based attribution unreliable. The landscape includes forked proofs of concept, professional implementations, and commercial offerings. While Bring Your Own Vulnerable Driver (BYOVD) technique dominates, custom scripts, anti-rootkits, and driverless approaches are also utilized. The analysis emphasizes the importance of looking beyond drivers to understand the full scope of EDR killer ecosystem and its implications for cybersecurity.

MediumMalwareUnited StatesUnited KingdomGermany+10#ghostdriver#byovd#vulnerable drivers

A new ransomware called Osiris was used in an attack on a major food service franchisee operator in Southeast Asia in November 2025. The ransomware shares similarities with previous Inc ransomware attacks, including the use of Wasabi buckets for data exfiltration and a specific version of Mimikatz. Osiris has typical ransomware functions, uses a hybrid encryption scheme, and drops a ransom note. The attack chain involved data exfiltration using Rclone, deployment of dual-use tools, and the use of a malicious driver called Abyssworker or Poortry. The attackers employed bring-your-own-vulnerable-driver (BYOVD) techniques to disable security software. While the impact of Osiris on the ransomware landscape remains uncertain, it appears to be wielded by experienced attackers with potential links to Inc ransomware or its affiliates.

MediumMalwareUnited KingdomGermanyFrance+4#abyssworker#osiris#inc ransomware