Osiris Ransomware

    Monday, February 16, 2026 In: Threat Research Print

    Date: 02/16/2026

    Severity: High

    Summary

    Osiris ransomware is a modern, enterprise-focused threat that conducts targeted intrusions involving deep network compromise, data exfiltration, and double-extortion tactics before encrypting victim systems. After gaining unauthorized access, attackers use legitimate tools such as Rclone for cloud-based data theft and abuse a malicious kernel driver (POORTRY) via a Bring Your Own Vulnerable Driver (BYOVD) technique to disable security controls and gain kernel-level privileges. Additional tooling supports credential harvesting, lateral movement, and remote access. Once objectives are met, Osiris encrypts files with a hybrid ECC and AES-128 scheme, appends the “.Osiris” extension, deletes backups and shadow copies, and drops a ransom note (“Osiris-MESSAGE.txt”), demonstrating a highly structured and evasive attack lifecycle.

    Indicators of Compromise (IOC) List

    URLs/Domains

    ausare.net

    wesir.net

    Hash

    fff586c95b510e6c8c0e032524026ef22297869a86d14075cd601ca8e20d4a16

    c74509fcae41fc9f63667dce960d40907f81fae09957bb558d4c3e6a786dde7d

    fc39cca5d71b1a9ed3c71cca6f1b86cfe03466624ad78cdb57580dba90847851

    824e16f0664aaf427286283d0e56fdc0e6fa8698330fa13998df8999f2a6bb61

    d78f7d9b0e4e1f9c6b061fb0993c2f84e22c3e6f32d9db75013bcfbba7b64bc3

    231e6bee1ee77d70854c1e3600342d8a69c18442f601cd201e033fa13cb8d5a5

    44748c22baec61a0a3bd68b5739736fa15c479a3b28c1a0f9324823fc4e3fe34

    Ce719c223484157c7f6e52c71aadaf496d0dad77e40b5fc739ca3c51e9d26277

    8c378f6200eec750ed66bde1e54c29b7bd172e503a5874ca2eead4705dd7b515

    79bd876918bac1af641be10cfa3bb96b42c30d18ffba842e0eff8301e7659724

    C189595c36996bdb7dce6ec28cf6906a00cbb5c5fe182e038bf476d74bed349e

    5c2f663c8369af70f727cccf6e19248c50d7c157fe9e4db220fbe2b73f75c713

    44e007741f7650d1bd04cca3cd6dfd4f32328c401f95fb2d6d1fafce624cc99e

    D524ca33a4f20f70cb55985289b047defc46660b6f07f1f286fa579aa70cf57a

    5bd82a1b2db1bdc8ff74cacb53823edd8529dd9311a4248a86537a5b792939f8

    534bd6b99ed0e40ccbefad1656f03cc56dd9cc3f6d990cd7cb87af4cceebe144

    39a0565f0c0adc4dc5b45c67134b3b488ddb9d67b417d32e9588235868316fac

    Filenames

    33.exe

    Payload.exe

    Payload.dll

    Kaz.exePay

    load.dll

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "ausare.net" or siteurl like "ausare.net" or url like "ausare.net" or dominname like "wesir.net" or siteurl like "wesir.net" or url like "wesir.net"

    Detection Query 2 :

    sha256hash IN ("44748c22baec61a0a3bd68b5739736fa15c479a3b28c1a0f9324823fc4e3fe34","79bd876918bac1af641be10cfa3bb96b42c30d18ffba842e0eff8301e7659724","44e007741f7650d1bd04cca3cd6dfd4f32328c401f95fb2d6d1fafce624cc99e","fc39cca5d71b1a9ed3c71cca6f1b86cfe03466624ad78cdb57580dba90847851","d78f7d9b0e4e1f9c6b061fb0993c2f84e22c3e6f32d9db75013bcfbba7b64bc3","8c378f6200eec750ed66bde1e54c29b7bd172e503a5874ca2eead4705dd7b515","5bd82a1b2db1bdc8ff74cacb53823edd8529dd9311a4248a86537a5b792939f8","fff586c95b510e6c8c0e032524026ef22297869a86d14075cd601ca8e20d4a16","c74509fcae41fc9f63667dce960d40907f81fae09957bb558d4c3e6a786dde7d","824e16f0664aaf427286283d0e56fdc0e6fa8698330fa13998df8999f2a6bb61","231e6bee1ee77d70854c1e3600342d8a69c18442f601cd201e033fa13cb8d5a5","Ce719c223484157c7f6e52c71aadaf496d0dad77e40b5fc739ca3c51e9d26277","C189595c36996bdb7dce6ec28cf6906a00cbb5c5fe182e038bf476d74bed349e","5c2f663c8369af70f727cccf6e19248c50d7c157fe9e4db220fbe2b73f75c713","D524ca33a4f20f70cb55985289b047defc46660b6f07f1f286fa579aa70cf57a","534bd6b99ed0e40ccbefad1656f03cc56dd9cc3f6d990cd7cb87af4cceebe144","39a0565f0c0adc4dc5b45c67134b3b488ddb9d67b417d32e9588235868316fac")

    Detection Query 3 :

    (resourcename = "Windows Security" AND eventtype = "4688" AND objectname IN ("33.exe","Payload.exe","Payload.dll","Kaz.exePay","load.dll"))

    Detection Query 4 :

    (technologygroup = "EDR" AND objectname IN ("33.exe","Payload.exe","Payload.dll","Kaz.exePay","load.dll"))

    Reference: 

    https://www.csk.gov.in/alerts/Osiris-Ransomware.html


    Tags

    MalwareThreat ActorCert-inCSK - IndiaRansomwareExfiltrationRcloneBYOVDCredential Harvesting

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.