New Osiris Ransomware Shows Why Traditional Defenses Are Not Enough

The threat landscape continues to evolve at a rapid pace. A newly discovered ransomware strain called Osiris has emerged as one of the most sophisticated threats discovered in recent months.

According to a detailed report by Cybersecurity News, Osiris was used in a November 2025 attack against a major food service company in Southeast Asia, revealing how cybercriminals are combining advanced techniques with everyday tools to evade detection and cripple defenses.

Unlike older ransomware that relied on crude tactics, Osiris demonstrates the reality of modern ransomware attacks—built with tactics that purposefully evade traditional security tools. This strain is not related to older malware using the same name from 2016, but rather represents a completely new and highly capable threat actor.

Attack Chain Highlights

The Osiris attack combined multiple layers of offensive techniques that make it especially dangerous:

• Living off the Land and Dual-use Tools: Attackers leveraged legitimate Windows utilities alongside dual-use tools like Rclone, Netscan, Netexec, and a modified Rustdesk remote access tool to infiltrate and persist inside the network.
• Data Theft Before Encryption: Sensitive data was exfiltrated using Rclone to Wasabi cloud storage long before the ransomware itself was deployed, showing that data theft is a key component of the attack flow.
• Malicious Driver (BYOVD) to Disable Security: One of the most concerning tactics was the use of a custom malicious driver called Poortry (also known as Abyssworker). This driver enabled what experts call a Bring Your Own Vulnerable Driver (BYOVD) attack, allowing the adversary to disable endpoint defenses by exploiting kernel-level access. In contrast to traditional BYOVD attacks that abuse legitimate but vulnerable drivers, Poortry appears to be custom-built to defeat security tools directly.
• Sophisticated Encryption: Once inside, Osiris used a hybrid encryption scheme combining ECC and AES-128-CTR to encrypt files with a unique encryption key per file, and also disabled backup services and deleted volume snapshots to prevent recovery.

These techniques make Osiris a textbook example of how modern ransomware campaigns blend innovation with stealth. Its ability to use legitimate system tools and sophisticated drivers to evade detection means many traditional antivirus and detection-based solutions may miss early stages of the attack.

Why Detect and Respond is Not Enough

For years, businesses have relied on detect and respond security strategies—systems that try to find malicious activity and then react after the fact. But threats like Osiris show that attackers are already several steps ahead: they infiltrate using tools that look like normal system activity, disable defenses before deploying payloads, and steal data prior to encryption. By the time a detect-and-respond solution triggers an alert, critical damage is already done.

This reactive approach leaves organizations vulnerable for too long. Detection alone often fails against living off the land and dual-use tooling because these techniques hide within legitimate processes that security products are trained to ignore. Even advanced endpoint detection and response (EDR) systems struggle to cope with these blended tactics, particularly BYOVD attacks that disarm the very tools designed to defend systems.

The Case for Isolation and Containment

The Osiris case reinforces a simple truth: businesses must shift to prevention-first strategies that isolate and contain threats before they execute. Endpoint protection solutions that focus on containment, rather than detection alone, dramatically reduce the ability of threats to execute malicious actions in the first place.

This is where AppGuard shines. With a proven 10-year track record defending high-value targets, AppGuard’s unique approach isolates untrusted code and restricts unauthorized actions at the kernel level. It stops malware from executing harmful behavior, even when attackers use legitimate tools or drivers to try and disable defenses. Because AppGuard does not rely on detection signatures or threat intelligence to act, it can contain novel threats like Osiris that slip through traditional defenses.

What Business Leaders Should Do Now

Ransomware like Osiris proves that relying on detect-and-respond strategies leaves a dangerous gap in your security posture. To safeguard your business and prevent catastrophic breach scenarios:

1. Re-evaluate security strategies to prioritize proactive containment over reactive detection.
2. Adopt endpoint protection solutions that isolate untrusted code and restrict abnormal behavior.
3. Deploy AppGuard to ensure threats are contained before they can encrypt data, disable security tools, or exfiltrate sensitive information.

Stop waiting for breaches to occur. Talk with us at CHIPS to learn how AppGuard can protect your business against threats like Osiris by shifting from Detect and Respond to Isolation and Containment. Contact our security experts today to future-proof your defenses.

Like this article? Please share it with others!