Cybersecurity researchers have recently identified a new ransomware strain named Osiris.
This ransomware is notable because it uses a vulnerable but digitally signed driver to bypass endpoint security solutions before encrypting systems.
Unlike common ransomware families that rely mainly on phishing emails or simple malware loaders, Osiris operates at a deeper system level. It abuses a known vulnerable driver, commonly referred to as POORTRY, to gain kernel-level privileges. Once loaded, this driver allows the attacker to disable security products such as EDR and antivirus tools silently.
After security protections are neutralized, the ransomware proceeds with encryption. By the time encryption begins, many security tools are already blind, making detection and response extremely difficult.
This technique is known as BYOVD (Bring Your Own Vulnerable Driver). It is not new, but Osiris shows that ransomware groups are now actively and successfully using it in real attacks rather than as a theoretical technique.
A confirmed incident linked to Osiris targeted a large enterprise in Southeast Asia, where attackers were able to disable endpoint protection and encrypt systems without triggering early alerts. This indicates that the ransomware is being used in targeted, high-impact attacks, not random mass campaigns.
What makes Osiris particularly dangerous is that it does not exploit unknown zero-day vulnerabilities. Instead, it abuses legitimate signed drivers that are already trusted by the operating system. If an organization does not actively block vulnerable drivers, the attack can succeed even on fully patched systems.
This incident highlights a growing problem in modern cybersecurity:
traditional endpoint protection alone is no longer sufficient. Attackers are increasingly focusing on kernel-level access and trusted components to evade detection.
Security teams should treat driver control as a critical defense layer. Blocking known vulnerable drivers, monitoring driver load activity, and tightening administrative privileges are now essential steps to reduce ransomware risk.
Osiris ransomware is a clear example of how ransomware is evolving — not by spreading faster, but by becoming more precise, stealthy, and technically advanced.