Yurei ransomware first emerged in early September 2025, targeting Windows environments with a sophisticated Go-based payload designed for rapid, large-scale encryption.
Once executed, the malware enumerates all accessible local and network drives, appends a .Yurei extension to each file, and writes unique ransom notes in every affected directory.
.webp "Yurei Ransomware Leverages SMB Shares and Removable Drives to Encrypt Files 2")
Its operators then demand payment over Tor, warning that shadow copies, backups, and log files have been irreversibly destroyed to frustrate recovery efforts.
Distributed primarily through stolen credentials and spear-phishing campaigns, Yurei exploits Windows Management Instrumentation (WMI) and credential-based remote execution to gain a foothold in corporate networks.
After initial compromise, the binary stages itself in temporary folders and deploys PowerShell scripts that disable Volume Shadow Copy Service (VSS) and delete all existing backups.
Cyfirma analysts noted that the ransomware’s combination of per-file ChaCha20 encryption keys wrapped with ECIES and its self-cleaning routines make forensic investigation exceedingly difficult.
Upon deployment, Yurei enters an infinite propagation loop, copying itself onto USB devices as WindowsUpdate.exe and into writable SMB shares as System32Backup.exe.
This dual propagation strategy allows the malware to leapfrog network segmentation controls and spread laterally with minimal detection.
Victims report that encrypted files become entirely inaccessible, since each ChaCha20 key and nonce pair is asymmetrically wrapped with the attackers’ embedded public key and stored in a custom header separated by the ASCII marker 0x7c7c.
Infection Mechanism and Lateral Propagation
The core of Yurei’s infection mechanism relies on PowerShell and native Windows utilities to propagate across removable and network drives.
First, it queries all volumes of type “removable” via WMI and checks for an existing WindowsUpdate.exe at each root.
If absent, it copies the ransomware executable from its temp staging directory. Next, it enumerates SMB shares via PowerShell’s Get-SmbShare cmdlet and iterates over each writable share path, using Copy-Item to drop System32Backup.exe.
A snippet illustrating the removable‐media propagation routine is shown below.
# Figure 1: Removable drive propagation using PowerShell
$drives = Get-WmiObject -Class Win32_Volume | Where-Object {$_.DriveType -eq 2}
foreach ($drive in $drives) {
$path = "$($drive.DriveLetter)WindowsUpdate.exe"
if (-not (Test-Path $path)) {
Copy-Item -Path $MyInvocation.MyCommand.Definition -Destination $path -Force
}
}Once copied, Yurei spawns each dropped instance remotely via a PSCredential-based CIM session or PsExec-style invocation, ensuring the payload executes under elevated privileges without user interaction.
The script constructs a System.Management.Automation.PSCredential object and invokes Invoke-CimMethod to create a process on remote hosts, copying its own binary bytes to disk before execution.
By combining these stealthy propagation loops with aggressive anti-forensics—deleting VSS snapshots (vssadmin Delete Shadows /Quiet), clearing event logs, and overwriting its binary in memory—Yurei represents a highly automated, self-propagating threat designed for maximum network penetration and irreversible data compromise.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
