Osiris ransomware uses POORTRY BYOVD to disable defenses and exfiltrate data
Malware Activity
Summary
Hide ▲
Show ▼
Researchers disclosed Osiris, a new ransomware family that hit a major food service franchisee operator in Southeast Asia in November 2025, showing an active intrusion chain that combined theft and encryption. The attack used POORTRY in a BYOVD chain to disable security software, which increased the chance of undetected deployment. Before encryption, the operators used Rclone to exfiltrate data to Wasabi buckets and relied on dual-use tools such as Mimikatz, Netexec, and MeshAgent. The malware also kills services and processes, encrypts files with a hybrid scheme, and drops a ransom note, making it relevant to defenders tracking ransomware tradecraft.
Related Happenings
Foxconn hit by ransomware attack
Incident
First: 13.05.2026 15:49
Last: 13.05.2026 15:49
Sources 1
About this happening:
**Foxconn** confirmed that **some North American factories** suffered a **cyberattack**, disrupting manufacturing operations and forcing a recovery effort to keep production and d...
Foxconn hit by ransomware attack
IncidentAbout this happening: **Foxconn** confirmed that **some North American factories** suffered a **cyberattack**, disrupting manufacturing operations and forcing a recovery effort to keep production and d...
Ministry of Justice and Legal Affairs of Oman hit by network compromise
Incident
First: 06.05.2026 16:00
Last: 06.05.2026 16:00
Sources 1
About this happening:
The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...
Ministry of Justice and Legal Affairs of Oman hit by network compromise
IncidentAbout this happening: The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...
Vect 2.0 ransomware wiper-flaw activity
Malware Activity
First: 29.04.2026 18:23
Last: 29.04.2026 18:23
Sources 1
About this happening:
The **Vect 2.0** ransomware variant now **permanently destroys large files** instead of encrypting them, which can leave defenders without a recoverable copy. The flaw affects ver...
Vect 2.0 ransomware wiper-flaw activity
Malware ActivityAbout this happening: The **Vect 2.0** ransomware variant now **permanently destroys large files** instead of encrypting them, which can leave defenders without a recoverable copy. The flaw affects ver...
Vect ransomware flawed ChaCha20 implementation destroys large files
Technical Analysis
First: 29.04.2026 13:45
Last: 29.04.2026 13:45
Sources 1
About this happening:
**Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...
Vect ransomware flawed ChaCha20 implementation destroys large files
Technical AnalysisAbout this happening: **Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...
Fast16 Lua-based network worm
Malware Activity
First: 27.04.2026 16:09
Last: 27.04.2026 16:09
Sources 1
About this happening:
Researchers identified **fast16**, a previously undocumented **Lua-based network worm** that can silently corrupt high-precision calculations and threaten legacy scientific and en...
Fast16 Lua-based network worm
Malware ActivityAbout this happening: Researchers identified **fast16**, a previously undocumented **Lua-based network worm** that can silently corrupt high-precision calculations and threaten legacy scientific and en...
Timeline
-
22.01.2026 20:00 2 articles · 4mo ago
Osiris ransomware uses POORTRY BYOVD to disable defenses and exfiltrate data
Initial DisclosureInitial activity on the target network began with **data exfiltration** to a **Wasabi** bucket using **Rclone**. The operators then introduced **POORTRY** to disable security tools before ransomware deployment.
Show sources
- New Osiris Ransomware Emerges as New Strain Using POORTRY Driver in BYOVD Attack — thehackernews.com — 22.01.2026 20:00
- New Osiris Ransomware Emerges as New Strain Using POORTRY Driver in BYOVD Attack — thehackernews.com — 22.01.2026 20:00