Osiris Ransomware Leverages POORTRY Driver in Novel BYOVD Attack

New Osiris Ransomware Emerges as New Strain Using POORTRY Driver in BYOVD Attack

A new ransomware family, Osiris, was observed in a targeted attack against a food service franchisee in Southeast Asia in November 2025. This attack distinguished itself by employing a custom driver, POORTRY, within a Bring Your Own Vulnerable Driver (BYOVD) attack, effectively disabling security software.

Why This Matters

Current endpoint detection and response (EDR) solutions often rely on known signatures and behavioral patterns; however, BYOVD attacks bypass these defenses by leveraging trusted driver mechanisms. This allows attackers to disable security tools at a kernel level, rendering traditional protections ineffective and significantly increasing the potential scope of data compromise and financial loss – with ransomware incidents averaging $1.85 million in total cost in 2023 according to Sophos.

Key Insights

• BYOVD Attacks Increasing: The use of BYOVD techniques is on the rise, with Akira ransomware also exploiting vulnerable drivers in 2025.
• Rust-Based Malware: Osiris is written in Rust, indicating a trend towards memory-safe languages for malware development.
• INC Ransomware Link: Evidence suggests potential ties between the Osiris attackers and the INC ransomware group, based on shared tools and infrastructure.

Practical Applications

• Use Case: Food service companies are increasingly targeted due to valuable customer data and potential for operational disruption.
• Pitfall: Relying solely on signature-based detection is insufficient against advanced threats like Osiris, which utilize custom drivers and living-off-the-land techniques.

References:

• https://thehackernews.com/2026/01/new-osiris-ransomware-emerges-as-new.html