New Osiris ransomware linked to experienced attackers

As detailed in Silicon Angle, a new ransomware family named Osiris has emerged, raising concerns due to its association with experienced threat actors and a significant attack on a Southeast Asian conglomerate late last year. Research indicates Osiris is a distinct strain with no known ties to existing ransomware families.

The Osiris ransomware, first detected in November, exhibits sophisticated techniques suggesting seasoned attackers. Researchers from Symantec and the Carbon Black Threat Hunter Team found indicators linking Osiris to the Inc ransomware group. Attackers employed living-off-the-land tools, a malicious driver (Poortry) to disable security software, and exfiltrated data to Wasabi cloud storage. A Mimikatz variant with a familiar file name further suggests operational overlap. Osiris features include process termination, selective file encryption with a '.Osiris' extension, deletion of shadow copies, and a hybrid encryption scheme using elliptic curve cryptography and AES-128-CTR. Data theft occurs days before encryption, with tools like Rclone, Netscan, and a disguised Rustdesk variant used for evasion.

The emergence of Osiris highlights the evolving tactics of sophisticated ransomware groups. While its overall impact on the ransomware landscape is yet to be determined, its effective encryption and the apparent skill of its operators warrant close monitoring, the researchers say.

Source: Silicon Angle