A newly identified ransomware group, Yurei, has emerged as a significant threat to organizations worldwide, with confirmed attacks targeting entities in Sri Lanka and Nigeria across multiple critical industries.
First publicly identified in early September 2025, Yurei operates a traditional ransomware-as-extortion model, infiltrating corporate networks, encrypting sensitive data, destroying backup systems, and leveraging a dedicated dark web site to extort payments from victims.
Yurei follows a conventional but effective ransomware operation model designed to maximize financial extraction from compromised organizations.
The group’s modus operandi involves initial network infiltration, followed by systematic encryption of critical files and deliberate destruction of backup infrastructure to eliminate recovery options.
This dual-pronged approach forces victims into impossible choices pay the ransom or risk permanent data loss.
The group maintains a dedicated dark web site for victim communication and negotiation, a hallmark of professional cybercriminal operations. Notably, there is no evidence suggesting Yurei operates as a Ransomware-as-a-Service platform or collaborates with other threat actors, indicating the group maintains exclusive control over its operations without rebranding or modification of existing ransomware families.
Ransom demands are calculated on a case-by-case basis, with threat actors assessing each victim’s financial capacity to determine optimal extortion amounts.
However, the specific range of demanded payments remains undisclosed, suggesting significant variation depending on target organization size and perceived ability to pay.
Industry and Geographic Targeting
Yurei’s attack campaign demonstrates a clear focus on economically valuable sectors. Primary targets include transportation and logistics, IT software, marketing and advertising, and food and beverage industries.
Encryption method is designed to prevent the threat actor from directly exposing the key used in encryption by protecting it with the ECDH and AES-GCM methods.
These sectors were selected strategically, likely due to their operational reliance on continuous data availability and significant financial resources to pay ransoms.
Geographic targeting has focused on Sri Lanka and Nigeria, though the group’s global technical capabilities suggest expansion to additional regions remains probable.
Yurei ransomware represents a sophisticated ransomware development effort, written entirely in Go programming language.
The malware employs a streamlined encryption preparation routine that avoids unnecessary system-level operations everyday in other ransomware variants, such as permission changes, mutex creation, or string decryption routines. This efficiency-focused approach minimizes detection opportunities and accelerates attack execution.
The ransomware implements ChaCha20-Poly1305 algorithm for primary file encryption, generating random 32-byte keys and 24-byte nonce values for each file.
Yurei implements intelligent exclusion mechanisms to prevent system destruction and maintain network accessibility.
These critical encryption parameters are then secured using secp256k1-ECIES encryption with the threat actor’s embedded public key, ensuring only the attacker possessing the corresponding private key can decrypt victim files.
The encryption process operates on 64 KB block units, with encrypted keys and nonces prefixed before the actual encrypted data.
This structure prevents victims from accessing their data through alternative means while maintaining cryptographic security through elliptic curve cryptography.
Operational Safeguards
The malware excludes 19 directories including Windows system folders, program files, and recovery partitions.
Additionally, 14 file extensions are protected, including critical system files (.exe, .dll, .sys) and Yurei-specific markers (.Yurei extension).
Seven specific filenames remain encrypted, including boot configuration files and the ransom note itself (_README_Yurei.txt), ensuring victims can access ransom communication while maintaining minimal system functionality for extortion negotiations.
Yurei’s ransom note escalates pressure through multiple threat vectors. The group claims to have deleted all accessible backups, stolen critical data including databases and financial records, and threatens rapid data exposure or sale on dark web marketplaces.
The note warns that victim recovery attempts or third-party recovery services may cause permanent data corruption. Additional pressure includes threats to inform regulatory bodies and competitors within five days unless negotiations commence, creating artificial urgency to drive faster payment decisions.
This comprehensive technical and psychological approach positions Yurei as a formidable emerging threat requiring immediate organizational attention for network hardening, backup redundancy, and incident response preparation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.