Targeting Windows systems, Yurei employs advanced file encryption and stealth techniques to maximize impact and minimize detection.
Encrypted files are appended with the extension .Yurei, and victims receive a ransom note named _README_Yurei.txt with Tor-based contact channels.
CYFIRMA has observed a new ransomware strain, “Yurei Ransomware,” developed in Go language and circulating in multiple malware repositories.
The malware stages its payload in temporary directories, disables backups and logs, propagates via SMB shares and removable media, and executes self-cleaning routines to frustrate forensic analysis and recovery efforts.
Yurei’s core routine, EncryptAllDrivesAndNetwork, rapidly encrypts data on all accessible local, network, and removable drives using per-file ChaCha20 keys wrapped with an attacker’s ECIES public key.
Files are processed in 2 MiB chunks to avoid high memory usage, then atomically replaced to reduce recovery chances. Encrypted items receive the .Yurei extension, and a professionally formatted ransom note is dropped in each directory.
To thwart recovery, Yurei’s disableBackups function invokes PowerShell commands—such as vssadmin Delete Shadows /All /Quiet and wbadmin Delete Catalog -Quiet—to remove Volume Shadow Copies and backup catalogs.
Simultaneously, the malware purges Windows event and system logs via PowerShell’s Get-ChildItem -Recurse | Remove-Item -Force pipeline and alters metadata to obscure file timestamps.
For lateral movement, Yurei leverages credential-based techniques. It constructs PSCredential objects, establishes CIM sessions, and employs net use and PsExec-style remote execution to infect networked hosts.
Its stealthPropagation routine continually enumerates writable SMB shares, copying itself as System32_Backup.exe to share roots. Removable drives are targeted by copying the payload as WindowsUpdate.exe if no file with that name exists, increasing the likelihood of manual execution by unsuspecting users.
Anti-forensics is further enhanced through self-cleaning: after encryption and propagation, Yurei executes secureDelete, cleanTraces, and wipeMemory routines.
These functions perform multiple overwrite passes on the ransomware binary using cryptographically secure random data, rename and delete the file, scrub file metadata, and overwrite in-memory artifacts following forced garbage collection.
Console history is wiped via Clear-Host, and residual heap data is overwritten to hinder memory forensics.
Analysis and Code Reuse
Static analysis of the Go binary reveals similarities with the open-source Prince-Ransomware project. Yurei retains function and module names—such as InitPrinceKeys() rebranded as InitYureiKeys()—and shares the ChaCha20 + ECIES encryption scheme, file header layout (wrapped key and nonce separated by ||), and recursive drive enumeration logic.
However, Yurei introduces parallel encryption through Go goroutines, improving speed over Prince’s single-threaded design. Notably, Yurei inherits Prince’s failure to disable VSS deletion under certain edge conditions, leaving some recovery points intact.
Compile-time metadata exposes a Windows username (intellocker) and file paths referencing a “satanlockv2” project, suggesting ties to other ransomware development environments.
First seen on September 5, 2025, Yurei’s initial victim was a Sri Lankan food manufacturer. Malware submissions from Morocco, Germany, and Turkey leave the developer’s origin unclear despite the Japanese name “Yūrei” (幽霊).
Yurei Ransomware represents a professional-grade threat equipped with rapid, chunked encryption, SMB and USB propagation, dual extortion messaging, and robust anti-forensics. Its polished ransom notes, Tor-based communication channels, and automated self-deletion routines reflect a mature operation optimized for speed and stealth.
The code’s reuse of Prince-Ransomware components underscores the trend of threat actors adapting open-source kits while adding concurrency and self-cleaning enhancements.
Organizations should prioritize endpoint monitoring for unauthorized PowerShell executions, audit SMB share activity, enforce strict USB device controls, and maintain offline backups to counter this sophisticated, double-extortion-ready malware.
INDICATORS OF COMPROMISE
| Indicator | Type | Remarks |
|---|---|---|
| 1263280c916464c2aa755a81b0f947e769c8a735a74a172157257fca340e1cf4 | Sha256 | 3dec9093b6da575c8700a9eb.ps1 |
| 4f88d3977a24fb160fc3ba69821287a197ae9b04493d705dc2fe939442ba6461 | Sha256 | YureiRansomware.exe |
| hXXp[:]//fewcriet5rhoy66k6c4cyvb2pqrblxtx4mekj3s5l4jjt4t4kn4vheyd[.]onion | URL | BLOG LINK |
| hXXp[:]//fewcriet5rhoy66k6c4cyvb2pqrblxtx4mekj3s5l4jjt4t4kn4vheyd[.]onion/chat/777676f8-2313-425f-873a-65c4df8d5def/chat[.]php | URL | CHAT LINK |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
