Osiris Ransomware: How a Trusted Driver Was Turned Into a Weapon to Kill Security and Encrypt Enterprises

Aegiron 10 mins0

Osiris Ransomware – BYOVD-Based Attack Using POORTRY Driver

Initial Discovery: January 22
Attack Type: Ransomware with Security Bypass (BYOVD)
Primary Objective: Disable endpoint protection and encrypt systems undetected

Executive Summary

Osiris is a newly observed ransomware strain that surfaced in late January and is notable for its use of the Bring Your Own Vulnerable Driver (BYOVD) technique. Instead of directly exploiting a system vulnerability, Osiris loads a legitimate but vulnerable kernel driver (POORTRY) to gain high-privilege access, disable security products, and then deploy ransomware payloads without interference.

What makes Osiris particularly dangerous is that it does not rely on zero-day exploits. Instead, it abuses trusted components, allowing it to evade detection by traditional endpoint security tools. Once the driver is loaded, Osiris attackers can terminate EDR, antivirus, and monitoring services at the kernel level, making post-compromise activity extremely difficult to detect in real time.

What Is Osiris Ransomware?

Osiris is a Windows-focused ransomware family designed to operate in multiple stages, with a strong emphasis on defense evasion before encryption.

Unlike basic ransomware that encrypts files immediately, Osiris prioritizes:

  • Gaining kernel-level access
  • Disabling all security controls
  • Establishing persistence
  • Ensuring encryption runs uninterrupted

This indicates a moderately to highly skilled threat actor, likely targeting enterprise environments, not individual users.

How the Attack Works (Full Kill Chain)

1. Initial Access Vector

Osiris does not rely on a single fixed entry method. Observed and likely initial access paths include:

  • Phishing emails with malicious attachments (ZIP, ISO, IMG, or password-protected archives)
  • Trojanized installers posing as legitimate software
  • Compromised admin credentials (RDP, VPN, or domain accounts)
  • Malware loaders dropped by existing infections (e.g., loaders already present in the environment)

At this stage, the attacker gains standard user or admin-level access, but not kernel access yet.

2. Privilege Preparation

Once initial execution occurs, Osiris performs several preparatory actions:

  • Enumerates running processes
  • Checks for installed security software (EDR, AV, XDR)
  • Verifies administrative privileges
  • Checks Secure Boot and driver enforcement status

If admin rights are missing, Osiris may attempt:

  • UAC bypass techniques
  • Credential dumping from memory
  • Token impersonation

3. BYOVD Technique – POORTRY Driver Abuse

This is the core innovation of Osiris.

What Is POORTRY?

POORTRY is a legitimate but vulnerable kernel driver originally designed for hardware or system interaction. Due to improper access control and exposed IOCTL handlers, it allows arbitrary kernel operations when abused.

Osiris brings its own copy of the driver, meaning:

  • The driver is not already present on the system
  • No exploit is needed
  • The OS trusts it because it is signed

What Osiris Does With POORTRY

Once loaded, the driver allows Osiris to:

  • Terminate protected processes (EDR/AV) that normally cannot be stopped
  • Disable kernel callbacks used by security tools
  • Bypass tamper protection
  • Remove file system minifilters
  • Disable monitoring and logging services

This effectively blinds the system.

4. Security Software Disabled

Observed targets include (but are not limited to):

  • Windows Defender
  • Third-party EDR agents
  • Behavioral monitoring services
  • Threat hunting sensors
  • SIEM forwarders (local agents)

Once disabled:

  • Alerts stop
  • Telemetry is lost
  • Encryption proceeds silently

5. Payload Deployment

After defenses are neutralized, Osiris deploys its main ransomware payload.

Payload Characteristics

  • Executed from user-writable directories (Temp, ProgramData, AppData)
  • Runs as a separate process to avoid correlation
  • Uses AES encryption for file content
  • Uses RSA or ECC to protect encryption keys
  • Excludes system-critical files to keep OS running
  • Targets:
    • Documents
    • Databases
    • Backups
    • Virtual disk files
    • Shared network drives

File extensions are renamed with a custom Osiris-specific extension.

6. Persistence (Optional but Observed)

In some cases, Osiris establishes persistence before encryption:

  • Scheduled tasks
  • Registry Run keys
  • Service creation
  • Driver persistence via reboot-safe configuration

This ensures:

  • Re-encryption if recovery is attempted
  • Continued access for data exfiltration

7. Ransom Note & Extortion

After encryption:

  • Ransom note is dropped in each directory
  • Desktop wallpaper may be changed
  • Instructions direct victims to:
    • TOR-based payment portals
    • Encrypted email contact
  • Double extortion is possible (data theft before encryption), though not confirmed in all cases

Impacted Systems

Affected Platforms

  • Windows 10
  • Windows 11
  • Windows Server (2016, 2019, 2022)

High-Risk Environments

  • Enterprises using third-party EDR
  • Organizations without driver blocklists
  • Systems allowing unsigned or vulnerable drivers
  • Environments with poor credential hygiene

Business Impact

  • Full data encryption
  • Loss of visibility during attack
  • Backup encryption (if online)
  • Potential data exfiltration
  • Extended recovery time due to disabled security stack

Indicators of Compromise (IOCs)

File Artifacts

  • POORTRY driver file dropped to disk (randomized name)
  • Ransomware executable in:
    • %TEMP%
    • %PROGRAMDATA%
    • %APPDATA%
  • Ransom note files (custom naming)

Process Activity

  • Unexpected driver loading
  • Security agent services stopping unexpectedly
  • High-privilege process execution from user directories

Registry Changes

  • New service keys related to driver loading
  • Modified startup keys
  • Disabled security-related registry entries

Network Indicators

  • Outbound connections to TOR gateways
  • Encrypted traffic to unknown IPs post-infection
  • C2 communication before encryption

Detection Guidance

Behavioral Red Flags

  • Legitimate signed drivers loaded from non-standard paths
  • Kernel driver load shortly before AV/EDR termination
  • Multiple security processes stopping simultaneously
  • Ransomware encryption following driver installation

Example Detection Rule

Driver Abuse Detection (Pseudo-Logic)

IF
  driver_loaded AND
  driver_path IN user_writable_directories AND
  driver NOT in approved_driver_list
THEN
  ALERT: Potential BYOVD attack

Ransomware Execution Detection

IF
  process_encrypts_multiple_files AND
  security_services_disabled_recently
THEN
  ALERT: Active ransomware behavior

Mitigation & Prevention

Immediate Actions

  • Block vulnerable drivers via driver block rules
  • Enable Microsoft vulnerable driver blocklist
  • Enforce Secure Boot
  • Monitor driver load events
  • Restrict admin privileges

Long-Term Hardening

  • EDR with kernel-level tamper protection
  • Application allowlisting
  • Credential hygiene and MFA
  • Offline, immutable backups
  • Continuous threat hunting for BYOVD activity

Why Osiris Matters

Osiris represents a shift toward stealth-first ransomware, where defense neutralization is prioritized over exploitation. The use of BYOVD means attackers no longer need zero-days to achieve kernel access — they only need one trusted, vulnerable driver.

This makes Osiris:

  • Harder to detect
  • Faster to execute
  • More damaging once inside

Final Takeaway

Osiris is not a spray-and-pray ransomware. It is clearly designed for:

  • High-value targets
  • Environments relying heavily on endpoint security
  • Networks where driver control is weak

Organizations that do not monitor driver behavior are especially vulnerable.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.