Executive Summary

A new ransomware operation, dubbed Osiris, has been observed deploying a sophisticated blend of tactics, techniques, and procedures (TTPs) borrowed from other prominent ransomware groups. This suggests the threat actors are experienced and may be an offshoot or evolution of existing gangs. Security researchers have identified tactical overlaps with the Medusa and Inc ransomware families. Key indicators include the use of Rclone for data exfiltration to Wasabi cloud storage (a hallmark of Inc) and the deployment of a custom-signed malicious driver known as Abyssworker/Poortry to disable endpoint security products (a known TTP of Medusa). This Bring-Your-Own-Vulnerable-Driver (BYOVD) attack allows the ransomware to execute unimpeded, highlighting the growing sophistication and shared tooling within the ransomware ecosystem.

Threat Overview

The Osiris attack chain demonstrates a methodical and multi-faceted approach to compromise, combining data theft, defense evasion, and encryption.

1. Initial Access: The initial vector is not specified, but is typically achieved through phishing, exploitation of public-facing applications, or compromised credentials.
2. Reconnaissance & Credential Access: Once inside, the attackers use tools like Netscan and Netexec for network discovery. They deploy a version of Mimikatz saved as kaz.exe to dump credentials, a file name previously associated with Inc ransomware.
3. Data Exfiltration: Before encryption, the attackers steal sensitive data using the legitimate Rclone tool to upload it to an attacker-controlled Wasabi cloud storage bucket. This is a double-extortion tactic.
4. Defense Evasion: This is the most notable stage. The attackers use a loader called Stonestop to install a malicious, custom-signed driver named Abyssworker (or Poortry). This driver operates with kernel-level privileges to forcefully terminate security processes (e.g., EDR, antivirus), blinding the organization's defenses.
5. Remote Access & Encryption: A customized version of the Rustdesk remote management tool is deployed for persistent access. Finally, the Osiris ransomware payload is executed to encrypt files across the network.

Technical Analysis

The Osiris operation is a prime example of threat actor convergence, where successful TTPs are shared and reused.

• BYOVD Attack: The use of the Abyssworker/Poortry driver is highly significant. Unlike typical BYOVD attacks that abuse legitimate but vulnerable drivers, this driver appears to be custom-developed by threat actors and has been successfully signed, likely with a stolen or fraudulently obtained code-signing certificate. This allows it to bypass driver signature enforcement on Windows and gain powerful kernel-level access. This technique is a direct link to the Medusa ransomware gang's operations from 2024-2025.
• Tool Overlap: The use of Rclone for exfiltration and the specific kaz.exe filename for Mimikatz create a strong link to the Inc ransomware group's playbook from October 2025.
• Living off the Land: The attackers use a mix of custom malware and legitimate dual-use tools (Rclone, Rustdesk, Netscan) to blend in with normal administrative activity and complicate detection.

MITRE ATT&CK TTPs

• T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage: Using Rclone to exfiltrate data to Wasabi cloud storage.
• T1003.001 - OS Credential Dumping: LSASS Memory: Using Mimikatz (kaz.exe) to harvest credentials.
• T1562.001 - Impair Defenses: Disable or Modify Tools: Using the Poortry driver to terminate security software.
• T1218.011 - System Binary Proxy Execution: Rundll32: The Stonestop loader likely uses rundll32.exe to execute its payload.
• T1486 - Data Encrypted for Impact: The final payload is the Osiris ransomware, which encrypts victim files.
• T1219 - Remote Access Software: Deploying a customized version of Rustdesk for persistent access.

Impact Assessment

An attack by the Osiris group can be devastating, resulting in:

• Operational Disruption: Encryption of critical files and systems leads to complete business shutdown.
• Data Breach: Exfiltration of sensitive data exposes the organization to regulatory fines, legal action, and reputational damage.
• Double Extortion: Victims are pressured to pay a ransom to both decrypt their files and prevent the public release of their stolen data.
• High Recovery Costs: The use of a kernel-mode driver to disable security tools can make detection and eradication more complex, increasing incident response costs.

IOCs

Detection & Response

1. Driver Load Monitoring: Monitor for the loading of new or unsigned drivers. Enable and monitor Windows Defender Attack Surface Reduction (ASR) rules that block vulnerable signed drivers. This aligns with D3FEND's Driver Load Integrity Checking (D3-DLIC).
2. Behavioral Monitoring: EDR tools should be configured to detect and alert on security process termination attempts. The Poortry driver's primary function is to kill these processes, which should be a high-fidelity alert.
3. Egress Traffic Analysis (D3-NTA): Monitor for large data uploads to non-standard cloud storage providers like Wasabi, especially from servers that do not typically perform such actions. Look for traffic associated with the Rclone user agent.
4. Credential Dumping Protection: Enable Credential Guard on Windows endpoints to protect LSASS memory from being read by tools like Mimikatz.

Mitigation

1. Application Control (M1038 - Execution Prevention): Implement application allow-listing to prevent the execution of unauthorized tools like Rclone, Netscan, and custom versions of Rustdesk.
2. Driver Block Rules (M1042 - Disable or Remove Feature or Program): Proactively block known vulnerable or malicious drivers using Windows Defender ASR or EDR blocklists. Maintain an up-to-date list of drivers used in BYOVD attacks.
3. Privileged Account Management (M1026 - Privileged Account Management): Restrict administrative privileges and segment accounts to limit an attacker's ability to deploy drivers or run credential dumping tools.
4. Backup and Recovery: Maintain offline and immutable backups of critical data to ensure recovery is possible without paying a ransom. Test recovery procedures regularly.