In ancient Egyptian mythology, Osiris was the god of the afterlife, resurrection, and renewal—a figure symbolizing death and rebirth. Fittingly, the name “Osiris” has been resurrected in the world of cybersecurity, not once but twice, to describe potent ransomware strains that bring digital doom to their victims. While the first incarnation emerged nearly a decade ago as a variant of the infamous Locky ransomware, a brand-new Osiris has surfaced in late 2025, showcasing evolved tactics and raising alarms among security experts. 

This blog dives into both versions, exploring their origins, mechanics, and the lessons they teach in an era where cyber threats evolve as quickly as the technology they exploit.

The Original Osiris: A Locky Legacy from 2016

Back in December 2016, cybersecurity researchers spotted a new ransomware dubbed Osiris, which was essentially the seventh generation of the Locky family—one of the most prolific ransomware campaigns of its time.  Spread primarily through massive spam email campaigns, Osiris infected systems by tricking users into opening malicious attachments or clicking rigged links. Once inside, it encrypted files with a strong algorithm, appending the “.osiris” extension to filenames (e.g., turning “document.docx” into something like “11111111-1111-1111-FC8BB0BA-5FE9D9C2B69A.osiris”). 

The ransomware dropped ransom notes in files like “OSIRIS-[random].htm” and even altered desktop backgrounds to “DesktopOSIRIS.bmp” to demand payment in Bitcoin for decryption keys.  It targeted a wide range of file types, avoiding system-critical ones to keep the machine operational enough for victims to pay up. Notable incidents included the infection of a Texas police department in 2016, where eight years of evidence—videos, photos, and documents—were encrypted, highlighting the real-world devastation ransomware can cause.  The attack exploited email spoofing, mimicking legitimate police communications, and served as a stark reminder for public institutions to bolster email security.

Osiris 1.0 was part of Locky’s evolution, incorporating anti-detection features like targeting backups to prevent easy recovery.  While decryptors eventually emerged for some Locky variants, Osiris’s reign contributed to the ransomware boom of the mid-2010s, costing victims millions and inspiring future threats.

Resurrection in 2025: The New Osiris Emerges

Fast-forward to November 2025, and Osiris is back—but this isn’t a sequel; it’s an entirely new beast.  Discovered in an attack on a major food service franchisee operator in Southeast Asia, this fresh strain bears no code similarities to its 2016 namesake.  Researchers from Symantec and VMware Carbon Black’s Threat Hunter Team identified it as a unique ransomware family, potentially linked to experienced actors behind the Inc ransomware group. 

Unlike the spam-heavy approach of old, the 2025 Osiris employs sophisticated initial access and persistence tactics. The attack began with data exfiltration days before encryption, using tools like Rclone to siphon files to a Wasabi cloud storage bucket—a method echoing Inc’s operations in October 2025.  Attackers enabled Remote Desktop Protocol (RDP) for entry, deployed network scanning tools like Netscan and Netexec, and used MeshAgent for execution. 

A standout feature is the use of a modified Rustdesk remote management tool, disguised as “WinZip Remote Desktop” with a fake icon, to maintain control stealthily.  To evade defenses, the attackers leveraged a “Bring Your Own Vulnerable Driver” (BYOVD) technique with a malicious driver called POORTRY (also known as Abyssworker), masquerading as a Malwarebytes anti-exploit driver.  This driver, loaded via a tool like Stonestop, disables security software and has ties to previous Medusa ransomware campaigns.  Additional evasion came from KillAV, which terminates protective processes, and a Mimikatz variant (kaz.exe) for credential dumping—another overlap with Inc tactics. 

Under the Hood: How Osiris 2025 Encrypts and Extorts

The new Osiris is a full-featured locker with command-line options for customization, such as “log” for tracking, “file” or “path” for targeting specifics, and modes like “head” (partial encryption) or “full” (complete).  It uses a hybrid encryption scheme: elliptic curve cryptography (ECC) combined with AES-128-CTR, generating a unique AES key per file for efficiency.  Asynchronous I/O handles the process, appending “.Osiris” to encrypted files (e.g., “report.pdf.Osiris”). 

Before locking files, it stops critical services (like SQL and Veeam backups) and terminates processes (e.g., Office apps, databases).  It skips certain extensions (.exe, .dll, etc.) and folders (Windows system directories) to avoid crashing the system, but targets user data relentlessly.  Post-encryption, it deletes Volume Shadow Copies (VSS) to hinder recovery and drops a ransom note “Osiris-MESSAGE.txt,” detailing stolen data and providing a TOR link for negotiations—indicating a double-extortion strategy. 

The impact? In the known attack, a Philippine conglomerate was hit, with data leaked on a dark web site by December 2025.  This blend of theft and encryption amplifies pressure on victims, a hallmark of modern ransomware.

Potential Links and the Bigger Picture

While Osiris’s developers remain unknown, overlaps with Inc (e.g., Wasabi exfiltration, Mimikatz usage) suggest either shared actors or tactic emulation.  POORTRY’s history with Medusa adds another layer, hinting at a web of experienced cybercriminals.  This isn’t just a one-off; it reflects the ransomware ecosystem’s shift toward stealthier, driver-abusing attacks that bypass traditional defenses. 

Defending Against the Digital Pharaoh

Preventing Osiris-like threats requires a multi-layered approach:

•  Patch and Secure Access: Disable unnecessary RDP and enforce multi-factor authentication.

•  Behavioral Detection: Use endpoint detection and response (EDR) tools that spot anomalous drivers and processes.

•  Backups and Segmentation: Maintain offline backups and segment networks to limit lateral movement.

•  User Training: Educate on phishing, as even advanced attacks often start with social engineering.

•  Driver Whitelisting: Implement kernel-mode protections against BYOVD exploits.

Tools like those from Symantec or Carbon Black can help detect indicators like the POORTRY driver (SHA-256: 44748c22baec61a0a3bd68b5739736fa15c479a3b28c1a0f9324823fc4e3fe34). 

Conclusion: Eternal Vigilance in the Cyber Realm

Osiris ransomware, in both its forms, embodies the persistent threat of cyber extortion—rising from the ashes to claim new victims. The 2016 version taught us about email vigilance, while the 2025 iteration warns of evolving evasion techniques like BYOVD and dual-use tool abuse. As we enter 2026, staying ahead means embracing proactive security, threat intelligence sharing, and perhaps a touch of mythological resilience. After all, if Osiris can resurrect, so can our defenses. Stay safe out there!abi cloud