top of page

Yurei Ransomware Uses Double-Extortion Tactics to Target Windows Networks

October 21st, 2025

High

Our Cyber Threat Intelligence Unit is monitoring Yurei, a Go-based ransomware first observed on September 5, 2025, derived with minor modifications from the open-source Prince-Ransomware project. Yurei employs a double-extortion model, encrypting data with ChaCha20 per-file keys wrapped using ECIES and appending the “[.]Yurei” extension. It drops a ransom note titled READMEYurei[.]txt and directs victims to a Tor-based negotiation portal. While Check Point Research (CPR) found that Yurei does not delete Windows Shadow Copies, allowing partial restoration where Volume Shadow Copy Service (VSS) is enabled, CYFIRMA and CyberSecurityNews report variants that disable VSS and purge backups, indicating potential divergence across samples. The Yurei ransomware was first seen in Sri Lanka, India, and Nigeria. Yurei has already impacted multiple corporate Windows networks, demonstrating continued development toward higher automation and propagation capability. 

Technical Details

  • Attack Type: Ransomware (Encryption + Extortion using open-source code lineage).

  • Severity: High.

  • Platforms Affected: Windows environments.

  • Encryption Method: ChaCha20 symmetric encryption with ECIES asymmetric key wrapping.

  • Kill Chain Summary:

    • Initial Access: Attackers obtain entry through stolen credentials and spear-phishing campaigns.

    • Execution & Lateral Movement: Uses Windows Management Instrumentation (WMI), CIM sessions, and PsExec-style remote execution for privileged command dispatch across corporate networks.

    • Payload Deployment: Once access is established, the binary stages itself in temporary directories and executes PowerShell scripts to perform encryption and disable defensive controls.

    • Encryption Process: Each file is encrypted with an individual ChaCha20 key, wrapped with ECIES, and appended with the [.]Yurei extension. Ransom note _README_Yurei[.]txt is dropped into each encrypted directory.

    • Backup & Recovery Manipulation: Check Point Research observed that Yurei does not delete Volume Shadow Copies, allowing partial recovery.
      CYFIRMA/CSN report variants that disable VSS and remove backups (variant-dependent).

    • Propagation Mechanisms: Copies itself to SMB shares and removable USB media using native Windows utilities (PowerShell and robocopy), repeating the spread loop to reachable hosts.

    • Persistence & Anti-Forensics: Clears event logs (Event ID 1102), overwrites its binary in memory, and erases temporary artifacts to hinder investigation.

    • Data Theft & Extortion: Conducts data exfiltration prior to encryption; ransom instructions emphasize leak-site exposure if payment is refused.

Image by ThisisEngineering

Impact

  • Data Encryption & Inaccessibility: Files encrypted with ChaCha20/ECIES become unrecoverable without the private key.

  • Data Theft & Extortion: Yurei operators exfiltrate data prior to encryption to pressure victims into payment.

  • Operational Disruption: Rapid encryption of SMB-hosted and local files halts productivity and system availability.

  • Backup Integrity Risk: Variant-dependent VSS and backup removal may neutralize local recovery points.

  • Reputational and Financial Loss: Ransom payments, downtime, and incident recovery costs can be significant.

  • Regulatory Exposure: Breach of confidential data may trigger GDPR, HIPAA, or sector-specific reporting obligations.

Detection Method

  • Network-based:

    • Detect abnormal SMB write activity and file-rename bursts.

    • Flag outbound connections to Tor entry nodes.

    • Monitor for unusual network drive enumeration and mount requests.

  • Host-based:

    • Look for creation of _README_Yurei[.]txt and mass appending of [.]Yurei extensions.

    • Detect PsExec or CIM sessions initiated without user input.

    • Monitor USB mount events triggered by PowerShell or CMD scripts.

  • Behavioral:

    • Identify PowerShell scripts attempting to stop system services or modify backup configurations.

    • Detect rapid file encryption loops across network shares and removable drives.

  • Log Analysis:

    • Review event logs for clear operations (Event ID 1102) or WMI activity spikes.

    • Inspect PowerShell operational logs for encoded command execution.

Indicators of Compromise

Type 

Indicator / Value 

Onion Page 

fewcriet5rhoy66k6c4cyvb2pqrblxtx4mekj3s5l4jjt4t4kn4vheyd[.]onion 

File Extension 

[.]Yurei 

Ransom Note 

READMEYurei[.]txt 

SHA-256 Samples 

49c720758b8a87e42829ffb38a0d7fe2a8c36dc3007abfabbea76155185d2902 

4f88d3977a24fb160fc3ba69821287a197ae9b04493d705dc2fe939442ba6461 

1ea37e077e6b2463b8440065d5110377e2b4b4283ce9849ac5efad6d664a8e9e 

10700ee5caad40e74809921e11b7e3f2330521266c822ca4d21e14b22ef08e1d 

89a54d3a38d2364784368a40ab228403f1f1c1926892fe8355aa29d00eb36819 

f5e122b60390bdcc1a17a24cce0cbca68475ad5abee6b211b5be2dea966c2634 

0303f89829763e734b1f9d4f46671e59bfaa1be5d8ec84d35a203efbfcb9bb15 

 

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

  • Immediate Containment:

    • Isolate affected systems from the network to prevent lateral movement.

    • Initiate incident response procedures and forensic triage.

    • Notify stakeholders and law enforcement as required by policy.

  • Patching & Hardening:

    • Apply the latest Windows security updates.

    • Restrict Windows Management Instrumentation (WMI) access to administrators only.

    • Enforce PowerShell Constrained Language Mode with script block logging.

  • Backup & Recovery:

    • Maintain offline backups isolated from the production network.

    • Ensure VSS snapshots are enabled.

    • Regularly validate the integrity of backups and restoration processes.

  • Monitoring & Detection:

    • Enable detailed logging for PowerShell, SMB, and WMI activities.

    • Hunt for Tor connection attempts and rapid file extension changes.

    • Deploy EDR and SIEM correlation rules for ransomware behavior.

  • User Awareness:

    • Conduct anti-phishing training and credential-hygiene refreshers.

    • Reinforce policies against using untrusted USB devices.

  • Long-Term Security:

    • Perform routine penetration testing and table-top incident response exercises.

    • Implement network segmentation to contain propagation.

    • Foster a security-aware culture through regular awareness programs.

Conclusion

Yurei demonstrates how adversaries utilize open-source codebases to drive rapid innovation in ransomware. Despite its reliance on public tooling, its hybrid ChaCha20 + ECIES encryption and variant-dependent propagation make Yurei a credible enterprise threat. We urge organizations to tighten credential management, enforce segmentation, and preserve offline backups. Maintaining visibility through EDR, SIEM, and behavioral analytics, while ensuring VSS snapshots remain intact, is essential to mitigate the risks associated with this ongoing threat.

bottom of page