top of page
Buscar

Osiris Ransomware: Mining Gold with a Vulnerable Driver

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • hace 2 días
  • 3 Min. de lectura

Like seasoned miners striking a rich gold vein, the operators behind the new Osiris ransomware quietly tunneled into a corporate environment, dismantled defenses, extracted valuable data, and only then detonated the explosive charge. The attack, observed in Southeast Asia in late 2025, showcases how modern ransomware operations increasingly resemble organized extraction campaigns rather than smash-and-grab intrusions.

Osiris is a newly identified ransomware strain, unrelated to earlier variants sharing the same name, and appears to be wielded by experienced operators with possible historical links to the INC ransomware ecosystem. Its use of a bespoke malicious driver, combined with living-off-the-land tooling and cloud-based exfiltration, reflects a mature and methodical approach to monetizing compromised networks.


Phase 1 – Prospecting the Gold Vein 


The operation began quietly, without noisy exploits or zero-days. Instead, the attackers gained an initial foothold and prepared the terrain using a familiar modern tactic: Bring Your Own Vulnerable Driver (BYOVD). A custom malicious driver known as POORTRY was deployed, not as a repurposed legitimate driver, but as a purpose-built tool designed to elevate privileges and terminate security processes.

This early step allowed the attackers to neutralize endpoint protections before deeper activity began. In parallel, RDP was enabled, establishing a reliable remote access channel that would later support hands-on-keyboard operations. From the outset, the goal was clear: silence the alarms before bringing in the heavy equipment.


Phase 2 – Clearing the Shaft 


With security controls suppressed, the attackers moved laterally and mapped the environment using a mix of dual-use and administrative tools, including network scanners and remote management utilities such as Netscan, Netexec, MeshAgent, and a customized RustDesk client.

Credential access was achieved using a customized Mimikatz variant, previously observed in INC ransomware intrusions under the filename kaz.exe. This allowed the attackers to harvest privileged credentials and deepen their control over the environment.

At this stage, the miners weren’t extracting gold yet — they were clearing the tunnels, identifying valuable seams, and ensuring uninterrupted access.


Phase 3 – Extracting 


Before any encryption took place, sensitive corporate data was exfiltrated using Rclone, a legitimate file synchronization tool frequently abused in ransomware operations. The stolen data was transferred to Wasabi cloud storage buckets, providing the attackers with off-site control and redundancy.

The exfiltrated information likely included internal documents, operational data, and potentially sensitive business records — assets valuable both for extortion and secondary monetization. This data theft phase ensured that, even if recovery was possible, the victims would still face leverage in the form of double extortion.

Only after the gold was safely hauled out did the attackers prepare the final detonation.


Phase 4 – Detonation in the Mine 


The final phase saw the deployment of Osiris ransomware, described as an effective and flexible encryption payload. Osiris uses a hybrid encryption scheme and generates unique encryption keys per file, complicating recovery efforts.

The ransomware was configured to:

  • Terminate services and processes related to backups, productivity tools, and databases

  • Selectively encrypt files based on extensions and directories

  • Kill processes tied to Microsoft Office, Exchange, Firefox, Veeam, Volume Shadow Copy, and more

  • Drop a ransom note and enforce operational disruption

By the time encryption began, defenses were disabled, backups were likely impaired, and sensitive data had already been stolen — a textbook modern ransomware execution.


Measures to Defend the Mine 


Organizations can reduce exposure to similar attacks by focusing on the early stages of the intrusion lifecycle:


  • Monitor and block BYOVD techniques, including abnormal driver loading and kernel-level activity

  • Restrict the use of dual-use tools (Rclone, Netscan, remote admin software) through allowlisting

  • Enforce strict RDP controls, including MFA, IP allowlists, and continuous monitoring

  • Detect and alert on credential dumping behaviors, including Mimikatz signatures and LSASS access

  • Monitor outbound traffic for unexpected cloud storage exfiltration, especially to Wasabi and similar providers

  • Maintain offline, immutable backups and routinely test restoration procedures

  • Segment networks to limit lateral movement and privilege escalation paths


The Osiris intrusion reinforces a critical reality: modern ransomware is no longer about speed, but about control, extraction, and leverage. The attackers behaved less like vandals and more like miners — disabling safeguards, surveying the terrain, extracting valuable assets, and only then collapsing the mine.


The use of a bespoke BYOVD driver, cloud-based data theft, and selective encryption reflects a level of operational discipline typically associated with experienced ransomware crews. Whether Osiris ultimately evolves into a full ransomware-as-a-service offering or remains a targeted operation, its debut illustrates how the ransomware landscape continues to professionalize.


For defenders, the lesson is clear: if you wait until encryption starts, the gold is already gone.



The Hacker News


 
 
 

Comentarios

bottom of page