Osiris Ransomware Campaign Using BYOVD for Defense Evasion and Double Extortion
February 6th, 2026
High
_ed.png)
Our Cyber Threat Intelligence Unit is monitoring Osiris, a ransomware family first documented in January 2026 and linked to a confirmed attack on a major food-service franchise in Southeast Asia in November 2025. The campaign targets Windows environments and follows a hands-on intrusion model characterized by reconnaissance, credential access, pre-encryption data exfiltration, defense impairment, and selective deployment of ransomware. Activities observed include the use of dual-purpose administrative tools, pre-encryption data exfiltration to cloud storage, and kernel-level defense evasion via a malicious driver associated with the Poortry (Abyssworker) family. The operators also deployed a modified remote management tool disguised as legitimate software to maintain access. Tactics such as Wasabi-based data exfiltration and specific tooling conventions overlap with patterns previously associated with INC ransomware operations, indicating possible operational emulation or affiliate crossover. This threat is significant for its stealth, abuse of trusted components, and double-extortion model, highlighting the continued evolution of ransomware campaigns toward low-noise, high-impact intrusions.
Technical Details
Severity: High
Threat Type: Ransomware & Double extortion (data exfiltration + encryption)
Observed Techniques:
Bring Your Own Vulnerable Driver (BYOVD)–style defense impairment
Kernel-level security control termination
Credential theft
Lateral movement using dual-use tools
Pre-encryption data exfiltration
Remote access persistence
Affected Platforms: Windows environments
Components Impacted:
Endpoint security software (via kernel-level termination)
Enterprise hosts and services affected by ransomware encryption
Sensitive data repositories subject to exfiltration
Attack Chain Summary:
Initial Access / Remote Access:
Reporting confirms RDP was enabled within the impacted environment, likely providing remote access for attacker operations.
No definitive initial access vector (e.g., phishing, vulnerability exploitation) has been publicly confirmed.
Reconnaissance:
Post-access discovery was conducted using legitimate and dual-use tools, including:
Netscan
Netexec
MeshAgent
These tools were leveraged to enumerate hosts, users, and network paths.
Credential Access:
Mimikatz, often renamed (e.g., kaz.exe), was deployed to extract credentials from memory.
Harvested credentials were used to expand access within the environment.
Data Exfiltration (Pre-Encryption):
Sensitive data was exfiltrated prior to encryption using Rclone.
Exfiltrated data was transferred to Wasabi cloud storage, consistent with a double-extortion strategy.
Defense Impairment (BYOVD-Style Technique):
A malicious kernel-mode driver associated with Poortry (also tracked as Abyssworker) was introduced to impair endpoint security controls.
The driver masqueraded as a legitimate Malwarebytes anti-exploit driver.
A loader component referred to as Stonestop was used to install the driver and issue execution instructions.
Kernel-level access was leveraged to terminate security processes.
Security Control Neutralization:
Endpoint security services were forcibly terminated.
Utilities such as KillAV were used to assist with disabling EDR, antivirus, and monitoring components.
Persistence and Remote Control:
A modified Rustdesk remote management tool was deployed to maintain persistent access.
The tool was disguised with WinZip branding to appear legitimate and evade detection.
Ransomware Deployment:
Osiris ransomware was executed across selected systems.
Files were encrypted using ECC combined with AES-128-CTR, with unique encryption keys per file.
Encrypted files were renamed with the “.Osiris” extension.
Critical services and applications were stopped to maximize operational disruption.
Ransom Note and Extortion:
A ransom note named Osiris-MESSAGE.txt was dropped on impacted systems.
Victims were notified of both file encryption and prior data exfiltration, with payment demands issued to prevent data disclosure.
Impact
Loss of access to critical systems and data due to widespread file encryption
Unauthorized exfiltration of sensitive or regulated information, increasing compliance and legal exposure
Disruption of business operations caused by service termination and system downtime
Elevated risk of lateral movement and broader enterprise compromise due to credential theft
Financial impact from incident response, recovery efforts, potential extortion payments, and regulatory penalties
Reputational damage and erosion of customer and partner trust
Detection Method
Organizations should monitor for the following indicators and behaviors:
Abnormal outbound data transfers, particularly to cloud storage providers such as Wasabi
Anomalous or unauthorized RDP authentication activity
Execution of credential theft, reconnaissance, or lateral movement tools, including:
kaz.exe (Mimikatz)
nxc.exe (Netexec)
netscan.exe
meshagent.exe, meshagent64-philip.exe, mesh.exe
rclone.exe
Driver load events involving unusual or abused signed drivers, including:
multia.sys
Activity consistent with the Poortry / Abyssworker driver family
Execution of security-disabling utilities such as KillAV
Mass file renaming events involving the “.Osiris” extension
Creation of ransom notes named Osiris-MESSAGE.txt
Indicators of Compromise
SHA256 Hash | Associated File Name(s) | Notes |
fff586c95b510e6c8c0e032524026ef22297869a86d14075cd601ca8e20d4a16 | 33.exe | Initial payload |
c74509fcae41fc9f63667dce960d40907f81fae09957bb558d4c3e6a786dde7d | payload.dll | Loader component |
fc39cca5d71b1a9ed3c71cca6f1b86cfe03466624ad78cdb57580dba90847851 | kaz.exe | Mimikatz (credential theft) |
d78f7d9b0e4e1f9c6b061fb0993c2f84e22c3e6f32d9db75013bcfbba7b64bc3 | meshagent64-philip.exe | MeshAgent RAT |
824e16f0664aaf427286283d0e56fdc0e6fa8698330fa13998df8999f2a6bb61 | payload.dll | Secondary payload |
231e6bee1ee77d70854c1e3600342d8a69c18442f601cd201e033fa13cb8d5a5 | windows.exe | Masqueraded executable |
44748c22baec61a0a3bd68b5739736fa15c479a3b28c1a0f9324823fc4e3fe34 | multia.sys | Malicious driver (Poortry/Abyssworker) |
ce719c223484157c7f6e52c71aadaf496d0dad77e40b5fc739ca3c51e9d26277 | chromesetup.exe | Dropper |
8c378f6200eec750ed66bde1e54c29b7bd172e503a5874ca2eead4705dd7b515 | nxc.exe | Netexec |
79bd876918bac1af641be10cfa3bb96b42c30d18ffba842e0eff8301e7659724 | rclone.exe | Data exfiltration |
44e007741f7650d1bd04cca3cd6dfd4f32328c401f95fb2d6d1fafce624cc99e | winzip.exe | Rustdesk disguised as WinZip |
5bd82a1b2db1bdc8ff74cacb53823edd8529dd9311a4248a86537a5b792939f8 | netscan.exe | Network discovery |
534bd6b99ed0e40ccbefad1656f03cc56dd9cc3f6d990cd7cb87af4cceebe144 | buildx86.exe | Supporting tool |
39a0565f0c0adc4dc5b45c67134b3b488ddb9d67b417d32e9588235868316fac | chromesetup.exe | Alternate dropper |
C189595c36996bdb7dce6ec28cf6906a00cbb5c5fe182e038bf476d74bed349e | rclone.exe | Exfiltration utility |
Type | Indicator |
Domain | ausare[.]net |
Domain | wesir[.]net |
Recommendations
Immediately isolate affected systems to prevent lateral movement and preserve forensic evidence
Restrict or disable unnecessary RDP exposure and enforce multi-factor authentication (MFA) on all remote access services
Apply the latest operating system, driver, and security updates across the environment
Enforce driver block rules, application control policies, and least-privilege access
Monitor authentication, endpoint, and network logs for signs of credential misuse or unauthorized driver loading
Secure, test, and validate offline and immutable backups to ensure reliable restoration capability
Conclusion
Osiris ransomware poses a high-severity threat, characterized by kernel-level defense evasion, pre-encryption data theft, and targeted ransomware deployment. Its use of BYOVD-style techniques and overlap with established ransomware tradecraft highlights a broader shift toward stealthier, more destructive intrusion-led extortion campaigns. We urge organizations to treat this activity as an immediate operational risk and prioritize proactive detection, access-control hardening, and incident-response readiness to minimize potential impact.