In early September 2025, a new ransomware variant named Yurei surfaced, quickly capturing the attention of cybersecurity experts due to its unique combination of Go-based execution and ChaCha20 encryption. The first known attack occurred on September 5, targeting a Sri Lankan food manufacturer. The perpetrators employed a double-extortion strategy, encrypting critical files while simultaneously exfiltrating sensitive data to increase their leverage over the victim. Shortly thereafter, two additional victims in India and Nigeria were publicly identified, indicating a rapid expansion of Yurei’s operations.
Technical Analysis
Yurei’s codebase is primarily derived from the open-source Prince-Ransomware project, suggesting that the attackers may lack advanced development skills and resources. The ransomware utilizes Go’s concurrency features to enumerate all drives in parallel, encrypting files using the ChaCha20 algorithm. For each file, a new random ChaCha20 key and nonce are generated and then encrypted using Elliptic Curve Integrated Encryption Scheme (ECIES) with the attacker’s public key. The encrypted data, key, and nonce are concatenated with delimiters, forming the final encrypted file structure.
Notably, Yurei retains symbols in its binary—a remnant from the Prince-Ransomware builder, which did not strip debugging information. This oversight provides analysts with clear function names, such as `Yurei_encryption_generateKey` and `Yurei_filewalker_EncryptAllDrivesAndNetwork`, facilitating the reverse-engineering process.
Shadow Copy Recovery and Defensive Implications
Despite its rapid encryption capabilities, Yurei exhibits a significant flaw: it fails to delete existing Volume Shadow Copies (VSS). VSS are backup snapshots of files or entire volumes that, if enabled, allow victims to restore their files without paying the ransom. This oversight underscores the attackers’ lack of sophistication and highlights the importance of maintaining regular VSS snapshots as a defensive measure.
Following successful encryption, Yurei attempts to set a custom wallpaper via PowerShell. However, due to the absence of a valid URL, the command fails, resulting in a blank background. The embedded PowerShell snippet mirrors that of its Prince-Ransomware predecessor:
“`powershell
(New-Object System.Net.WebClient).DownloadFile(‘
Add-Type -TypeDefinition @
using System;
using System.Runtime.InteropServices;
public class Wallpaper {
[DllImport(user32.dll, CharSet=CharSet.Auto)]
public static extern bool SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni);
}
@
[Wallpaper]::SystemParametersInfo(20, 0, $env:TEMP\Wallpaper.png, 3)
“`
The combination of rapid encryption, data exfiltration, and incomplete persistence techniques reflects a low-effort yet effective operation. As Yurei continues to target diverse sectors, security teams are urged to monitor for the distinct file extension `.Yurei`, enforce strict egress controls, and validate VSS snapshots to mitigate the impact of this emerging threat.
