Modern ransomware threats continue to evolve faster than many organizations can defend against them.
A recent analysis by Security.com details the emergence of a new ransomware family known as Osiris, seen in a major attack on a food service franchisee in Southeast Asia in November 2025. This incident underscores a larger shift in cyberattack sophistication and highlights a critical weakness in the traditional security strategy of “detect and respond.”
Osiris is not just another piece of malware. Although it bears the same name as a 2016 ransomware variant, analysts confirmed that this is a completely new threat—with no direct technical connection to the older Locky‑related strains. What makes Osiris notable is how it combines advanced defense‑evasion techniques with modern encryption and data exfiltration tactics.
One of the most dangerous aspects of the Osiris attack was its use of a malicious driver called POORTRY as part of a “bring your own vulnerable driver” (BYOVD) approach. In a BYOVD attack, adversaries load a signed but vulnerable kernel‑mode driver to gain deep access and disable endpoint monitoring tools such as next‑generation antivirus or endpoint detection and response (EDR) agents. Once these defenses are neutralized, attackers can execute their payloads with far less risk of detection.
In the Osiris campaign, attackers combined POORTRY with other living‑off‑the‑land tools and dual‑use utilities to elevate privileges, disable security software, and move laterally across the target network. Tools commonly used for legitimate IT tasks, like Rclone and modified remote access software, were subverted to exfiltrate sensitive data and help the attackers maintain persistence before encryption began.
What this means is simple: by the time traditional security measures raise alerts, attackers may already have bypassed protections, stolen data, and begun encrypting systems. This behavior fundamentally challenges the assumption that detection followed by response is sufficient to stop a determined adversary.
Once inside a victim environment, Osiris has a variety of disruptive capabilities:
Combined with pre‑encryption data theft, this is a double‑extortion playbook—encrypt your data and threaten to leak it publicly if demands are not met.
Traditional security tools—EDR, antivirus, SIEM, and SOC‑based detection systems—are built around detecting suspicious activity, generating alerts, and then enabling a response by security teams. This model assumes defenders will see malicious actions in time and intervene before significant damage occurs. But modern ransomware campaigns like Osiris undermine that assumption:
The result is that many threats are already past critical defenses before detection ever happens. This reality begs for a new approach—one that does not simply wait to detect malicious activity, but actively isolates and contains potential threats to prevent them from executing at all.
That’s where solutions like AppGuard come into play. Instead of relying solely on detection and manual response, AppGuard uses proven isolation and containment technology to block unauthorized code paths, prevent privileged escalation, and stop ransomware actions at the source. With a ten‑year track record of preventing zero‑day and advanced threats in highly targeted environments, AppGuard shifts the mentality from reactive to proactive defense.
Rather than hoping your EDR tool will alert you before an attacker disables it, AppGuard ensures critical assets and processes stay protected even when threats attempt to bypass security controls. This capability is especially important when facing modern threats that use kernel exploits, living‑off‑the‑land binaries, and defense‑impairment tactics like those seen in the Osiris campaign.
Ransomware is evolving. Attacks are becoming more sophisticated, damaging, and harder to detect in time to prevent impact. Relying on detection and response alone leaves your business vulnerable to threats designed specifically to evade those defenses.
If you want to protect your organization from incidents like the Osiris ransomware attack, it is time to adopt a security posture that emphasizes isolation and containment, not just detection.
Talk with us at CHIPS about how AppGuard can stop threats before they execute and help your business move beyond outdated detect and respond models. Schedule a consultation today and safeguard your business against the next generation of ransomware.
Like this article? Please share it with others!