BLUF

 A new, sophisticated ransomware family, Osiris, has been detected targeting a major Southeast Asian conglomerate, utilizing the "Poortry" driver to disable security software.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by the Osiris ransomware strain leveraging defense-disabling drivers and double extortion tactics:

·       Low-end total cost: $2.5M – $5.0M

o   (limited spread, rapid containment, minimal sensitive data exposure)

·       Typical expected range: $5.0M – $15M

o   (multi-system encryption, moderate downtime, confirmed data exfiltration)

·       Upper-bound realistic scenarios: $15M – $35M

o   (enterprise-wide disruption, prolonged recovery, regulatory and legal escalation)

Key Cost Drivers

·       Duration of operational downtime affecting revenue-generating systems

·       Scope of encrypted endpoints and shared infrastructure requiring rebuild

·       Volume and sensitivity of data exfiltrated prior to encryption

·       Backup integrity and speed of restoration

·       Insurance coverage limits, exclusions, and post-incident premium impacts

Targeted Sectors

·       Manufacturing

·       Conglomerates

Affected Countries

·       Southeast Asia

Date First Reported

·       January 22, 2026

Date Last Updated

January 22, 2026

CVE & CVSS

·       Not applicable at this time.

Nessus ID

·       Not applicable at this time

Is this on the KEV List

·       Not applicable at this time

Mitigation

·       Update EDR signatures

·       Implement strict driver blocklists (e.g., Poortry).

APT Names

·       This is not associated with APT groups at this time

Criminal Organization Names

·       Potentially linked to Inc ransomware group

IOCs

Host-Based Indicators & Behavior

Persistence

Manipulates the execution behavior of images by adding entries to

·       HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\.

File Encryption

·       Appends the .osiris extension to targeted files.

Shadow Copy Deletion

·       Like many modern variants, it attempts to delete volume shadow copies to prevent local recovery.

Tools used in campaign

·       Poortry driver

o   Living-off-the-land techniques.

TTPs

Initial Access

·       T1566 Phishing

o    Often uses phishing emails with malicious attachments or links to compromise the initial system.

·       T1078 Valid Accounts

o    Exploitation of compromised or misused valid accounts, including anomalous logon patterns across endpoints.

Execution

·       T1059 Command and Scripting Interpreter

o   Use of PowerShell to execute commands, often with hidden or encoded command lines.

·       T1204 User Execution

o   Social engineering lures, such as fake IT support calls, to persuade victims to run malicious applications.

Persistence & Privilege Escalation

·       T1053 Scheduled Task/Job

o   Leveraging the Windows Task Scheduler to deploy ransomware payloads and establish persistence.

·       T1047 Windows Management Instrumentation

o    Use of WMI to execute binaries or monitor target processes.

Defense Evasion

·       T1562 Impair Defenses

o    Actively disabling security measures, such as removing antivirus software, upon successful infiltration.

·       T1027 Obfuscated Files or Information

o    Use of high-entropy files and cryptographic strings to hide malicious content from traditional security software.

Credential Access

·       T1003 OS Credential Dumping

o   Use of tools like Mimikatz to extract login credentials from compromised systems.

Exfiltration & Impact

·       T1486 Data Encrypted for Impact

o   Recursive encryption of user and system directories to disrupt availability.

·       T1020 Automated Exfiltration

o   Use of "double extortion" tactics, where data is stolen and posted to a TOR-hidden leak site before encryption to demand ransom.

·       T1490 Inhibit System Recovery

o   Deletion of shadow copies or tampering with registries to prevent data restoration.

Malware Name

Osiris Ransomware

Malware sample

sha256

27d90611f005db3a25a4211cf8f69fb46097c6c374905d7207b30e87d296e1b3

Malware Family

A variant of the Locky ransomware family.

Known Decoding Key

·       No public decryption key is available for modern Osiris variants as of early 2026.

o   Historical Locky-Osiris variants also lacked a universal free decryptor due to strong RSA-2048 and AES-128 encryption.

Verdict

·       Malicious

o   It is categorized as advanced crypto-ransomware capable of data exfiltration and double extortion.

Primary Objectives

·       Financial Gain

o   Demanding ransom payments in cryptocurrency (e.g., Bitcoin) for data decryption.

·       Data Exfiltration

o   Stealing sensitive corporate data to use as leverage in double extortion (threatening to leak data if payment is not made).

·       Disruption

o   Impairing business operations by encrypting critical files and backups.

Behavior Analysis

Initial Access

·       Delivered via sophisticated phishing, exploitation of public-facing vulnerabilities (e.g., RDP, VPN), or initial access brokers.

Evasion

·       Uses "Living-off-the-Land" (LotL) tactics, such as employing legitimate Windows components (e.g., Rundll32.exe) and malicious drivers like Poortry to disable security software.

Encryption

·       Scans local and network drives, encrypting a wide range of file types and appending the .osiris extension.

Backup Sabotage

·       Actively targets and deletes Volume Shadow Copies (VSS) to prevent easy recovery.

Persistence

·       Establishes persistence via registry modifications or scheduled tasks.

Suggested Rules / potential hunts

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata

Identify Exfiltration to Wasabi/Cloud Storage: Osiris has been observed exfiltrating data to Wasabi cloud.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Osiris Ransomware Potential Data Exfil to Wasabi"; content:".wasabisys.com"; http_host; sid:2026001; rev:1;)

Detect C2 Communication via OAuth/Connected Apps: Newer variants leverage malicious Salesforce apps to gain lateral access.

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"Osiris Ransomware Potential Salesforce OAuth Hijack Activity"; flow:established,to_server; content:"://login.salesforce.com"; sid:2026002; rev:1;)

SentinelOne

Detect Malicious Driver Loading (Poortry): Osiris uses the Poortry driver to disable security software.

Process.Name = "System" AND Module.Name contains "Poortry" OR File.Name = "Poortry.sys"

Shadow Copy Deletion

Registry.Value contains "vssadmin" AND Command.Line contains "delete shadows".

Process Termination of Security Agents: Identify attempts to kill AV/EDR processes.

Indicator.Name = "KillSecurityProcess" AND Target.Process.Name contains "SentinelAgent"

Splunk

Hunt for Large-Scale File Extension Changes: Detect the appending of the Osiris extension

index=logs sourcetype=filesystem_monitor

| stats count by dest, file_extension

| where file_extension=".Osiris" AND count > 50

Detect Volume Shadow Copy Deletion (via Event Code 4688)

index=windows_logs EventCode=4688 (CommandLine="*vssadmin*" AND CommandLine="*delete*" AND CommandLine="*shadows*")

Identify spikes in egress traffic to cloud providers like Wasabi

index=network_logs (dest_host="*.wasabisys.com" OR dest_host="*.amazonaws.com")

| stats sum(bytes_out) as total_egress by src_ip

| where total_egress > 100000000

Delivery Method

·       Not known at this time

o   Based on previous variant it is suspected to be spear-phishing or a VPN exploit

Email example

Sample Email Content

(Corporate Phishing):

From: [Spoofed Name] <[Legitimate Company Vendor Email]>

Subject: Invoice Discrepancy - INV-55402

Hello,

Please review the attached invoice regarding the recent services rendered. We noticed a discrepancy in the final amount compared to the purchase order.

Could you please review and confirm?

Best regards,

[Name]

Attachment: Invoice_55402.zip (Contains malicious script)

Common Subject Lines

·       Updated Q4 Project Requirements

·       Action Required: Invoicing Discrepancy INV-[Random Number]

·       Confidential: Revised Compensation Structure

·       HR Documentation: Employee Policy Update

URL References

VirusTotal

·       hxxps://www.virustotal.com/gui/file/27d90611f005db3a25a4211cf8f69fb46097c6c374905d7207b30e87d296e1b3

SiliconAngle Technical Deep-Dive

·       hxxps://siliconangle.com/2026/01/22/new-osiris-ransomware-reveals-sophisticated-tactics-experienced-attackers/

Red Piranha Threat Intelligence

·       hxxps://redpiranha.net/news/threat-intelligence-report-december-16-december-22-2025

WatchGuard Ransomware Tracker

·       hxxps://www.watchguard.com/wgrd-security-hub/ransomware-tracker/Osiris