Osiris is a ransomware group that came to public attention in January 2026 when Symantec’s Threat Hunter Team published analysis of a confirmed attack against a large Southeast Asian conglomerate. The group’s distinguishing technical characteristic is its use of a BYOVD (Bring Your Own Vulnerable Driver) technique to terminate endpoint detection and response software before deploying its encryptor — specifically using the Poortry kernel driver, a tool with a documented history in the eCrime ecosystem. Symantec’s analysis noted code-level similarities between the Osiris encryptor and the INC Ransomware encryptor, raising the question of an affiliate relationship or shared codebase.
What Is Known About the Group
Osiris is an early-stage group by the metrics used to track established ransomware operations. One confirmed victim is publicly documented. There is no indication of an open affiliate recruitment programme or a public-facing leak site at the time of writing. The group appears to be operating selectively — targeting high-value organisations rather than running a high-volume affiliate model.
The name “Osiris” is used by Symantec’s attribution, based on strings and naming patterns observed in the malware. Whether the group self-identifies under this name or operates under a different identifier on underground forums is not publicly confirmed.
Sector targeting based on the confirmed victim and the INC Ransomware connection suggests interest in organisations with complex operational structures, valuable data (financial, healthcare records, industrial IP), and dependency on backup infrastructure. The Southeast Asian conglomerate victim is consistent with a target profile that combines high ransom capacity with IT infrastructure that may have less mature enterprise security controls relative to equivalent European or North American targets.
The Poortry Driver and BYOVD Chain
The Poortry driver (also tracked as truesight.sys or similar variants) is a signed Windows kernel driver with known vulnerabilities that allow it to be exploited to unload protected security kernel modules. Specifically, Poortry has been used to call kernel APIs that terminate security software processes — including EDR agents — that would otherwise be protected by tamper protection features.
The driver is signed, which means it passes Windows driver signature verification without triggering kernel integrity checks. BYOVD attacks work because Windows, by design, will load signed drivers — the signature verifies the driver hasn’t been modified from the signed version, but it doesn’t certify that the driver is safe. Drivers with exploitable vulnerabilities that allow arbitrary kernel operations can be used as a weapon even after the vulnerability is publicly known, as long as the driver’s signed version remains loadable.
Microsoft has blocklisted Poortry variants over time, but attackers maintain a library of known-good signed vulnerable drivers from before their blocklisting dates. The LOLDrivers project (loldrivers.io) maintains a current list of known vulnerable drivers with verified hash values.
Poortry has previously appeared in attacks attributed to groups connected to the former Scattered Spider/UNC3944 ecosystem and has been observed across multiple ransomware campaigns. Its appearance in Osiris attacks suggests the operator either purchased the capability from a broker who maintains the Poortry toolkit, or has direct access to tooling used by the broader eCrime ecosystem from which INC Ransomware also sources tools.
The INC Ransomware Connection
Symantec’s January 2026 disclosure specifically noted code-level similarities between the Osiris encryptor and INC Ransomware’s encryptor. The nature of these similarities — whether they indicate shared source code, binary similarities suggesting a fork, or reuse of a common builder — has not been publicly detailed beyond the initial Symantec report.
There are three possible interpretations:
Affiliate relationship. Osiris may be an affiliate operating the INC encryptor under its own brand. Some RaaS operations allow affiliates to operate independently without formally advertising their affiliation to avoid regulatory attention and law enforcement focus. Under this model, Osiris operators would obtain the INC encryptor from the core development team, conduct their own intrusions, and pay a percentage of ransoms to the INC operation.
Codebase fork. Osiris may have obtained the INC source code — through purchase, theft, or access from a former INC affiliate — and deployed it with modifications. The pattern of encryptor code reuse across ransomware families is well-documented; leaked builders (as with Babuk and Conti) and purchased source code are common sources.
Shared tooling supplier. Osiris and INC may both be sourcing their encryptors from the same third-party builder, producing superficial similarities that don’t indicate a direct operational relationship.
The presence of Poortry in the Osiris attack is consistent with either the first or third interpretation — Poortry is available as a capability from multiple eCrime tooling suppliers, so its presence doesn’t definitively indicate a direct INC relationship. But the combination of Poortry plus INC-similar encryptor code is sufficiently specific to treat Osiris intelligence as potentially informing INC defence priorities, and vice versa.
Confirmed Attack Details: Southeast Asian Conglomerate
The confirmed Osiris attack targeted a large diversified conglomerate in Southeast Asia. The victim’s profile is not publicly identified beyond Symantec’s description of it as operating across multiple business sectors. Symantec’s analysis confirmed:
- Initial access method: Not publicly confirmed in available reporting.
- BYOVD deployment: Poortry driver deployed to terminate endpoint security software prior to encryption.
- Encryptor: Deployed after EDR termination; code similarities noted with INC Ransomware.
- Outcome: Encryption deployed successfully; the attack was identified through post-incident forensic analysis.
The dwell time (the period between initial access and encryption deployment) is not publicly reported for this incident. Based on INC’s established pattern (two to four weeks) and the use of a BYOVD chain that requires prior foothold establishment, a multi-week pre-encryption phase is consistent.
Defensive Considerations
Driver blocklisting. Enforce a kernel driver allowlist using Windows Defender Application Control (WDAC) or equivalent. The LOLDrivers database provides hash-based blocklist entries for known vulnerable drivers including Poortry variants. WDAC-based driver blocklisting prevents BYOVD techniques entirely for blocklisted drivers, regardless of whether the driver is signed.
EDR tamper protection. Ensure EDR tamper protection is enabled across all endpoints. Tamper protection prevents user-space processes from terminating or disabling the security agent — it is specifically designed to counter the scenario where an attacker with admin access tries to kill the EDR before detection. Kernel-level BYOVD techniques bypass tamper protection; driver blocklisting is the layer that addresses this.
Monitor kernel driver loads. Alert on any kernel driver load that does not appear in an approved baseline. Use Windows Event ID 6 (Kernel driver loaded) with Sysmon configured to log all driver loads, and cross-reference loaded driver hashes against both the LOLDrivers database and your organisation’s baseline.
Track INC and Osiris intelligence jointly. Given the code similarity, intelligence about INC Ransomware campaigns, TTPs, and indicators should be treated as potentially applicable to Osiris operations and vice versa. Threat intelligence platforms tracking INC should flag the Osiris connection so that Osiris-derived indicators are included in INC detection workflows.
Current Assessment
Status: Emerging group — limited confirmed activity, no established leak site, no confirmed affiliate recruitment programme.
Technical capability: Above average for an emerging group. Proficient use of BYOVD with Poortry (requires kernel-level access and driver management knowledge), possible access to INC-quality encryptors, targeting of large complex organisations.
Geographic focus: Insufficient data to establish geographic preference beyond the Southeast Asian confirmed victim.
Ransom approach: Assumed double extortion based on encryptor deployment and observed pattern in similar groups. No confirmed ransom demand figures publicly available.
Recommended watch level: Medium-high for organisations in healthcare, diversified industrial/manufacturing, and financial services in Southeast Asia and Asia-Pacific. Monitor Symantec and Broadcom threat intelligence feeds for updates.