Yurei Ransomware: A New Threat Targeting Global Industries
In September 2025, cybersecurity experts identified a new ransomware strain named Yurei, which has rapidly become a significant threat to various industries worldwide. This Go-based malware infiltrates corporate networks, encrypts critical data, deletes backups, and demands ransom payments, operating through a dedicated dark web site to negotiate with victims.
Targeted Industries and Victims
Yurei’s operators have primarily targeted sectors such as transportation and logistics, IT software, marketing and advertising, and food and beverage. Notable incidents include attacks on organizations in Sri Lanka and Nigeria. Unlike many modern ransomware operations, there is no clear evidence linking Yurei to Ransomware-as-a-Service models or collaborations with other cybercrime groups. The ransom demands are calculated on a case-by-case basis after assessing the financial status of each targeted company, though specific amounts have not been publicly disclosed.
Sophisticated Encryption Techniques
Yurei distinguishes itself through its advanced encryption methods. The malware employs the ChaCha20-Poly1305 algorithm for file encryption, generating a 32-byte key and a 24-byte nonce as random values. These encryption keys are then secured using the secp256k1-ECIES method with an embedded public key, ensuring that only the threat actor possessing the corresponding private key can decrypt the files. This dual-layer encryption design makes unauthorized decryption virtually impossible without paying the ransom.
File Encryption Process
Upon execution, Yurei scans the infected system to identify all available drives and potential encryption targets. To prevent complete system failure, the ransomware deliberately excludes critical system directories such as Windows, System32, and Program Files. It also skips files with extensions like .sys, .exe, .dll, and .Yurei (its own encrypted file marker) to avoid re-encrypting already compromised files. Files are encrypted in 64 KB block units using ChaCha20-Poly1305, with the encrypted key and nonce stored at the beginning of each file using the || delimiter.
The secp256k1-ECIES encryption method employed by Yurei uses Elliptic Curve Diffie-Hellman to create a shared secret, which is then transformed through a key derivation function to serve as the AES-GCM encryption key. A randomly generated temporary nonce ensures different encryption results each time, preventing victims from attempting independent recovery.
Ransom Note and Threats
After encryption, Yurei leaves a ransom note titled _README_Yurei.txt in the affected directories. The note threatens to delete the decryption key and leak stolen data, including databases, financial documents, and personal information, on the dark web if victims fail to respond within five days.
Propagation and Infection Mechanism
Yurei’s infection mechanism relies on PowerShell and native Windows utilities to propagate across removable and network drives. The malware enumerates all accessible local and network drives, appends a .Yurei extension to each file, and writes unique ransom notes in every affected directory. Its operators demand payment over Tor, warning that shadow copies, backups, and log files have been irreversibly destroyed to frustrate recovery efforts.
Distributed primarily through stolen credentials and spear-phishing campaigns, Yurei exploits Windows Management Instrumentation (WMI) and credential-based remote execution to gain a foothold in corporate networks. After initial compromise, the binary stages itself in temporary folders and deploys PowerShell scripts that disable Volume Shadow Copy Service (VSS) and delete all existing backups.
Analysts noted that the ransomware’s combination of per-file ChaCha20 encryption keys wrapped with ECIES and its self-cleaning routines make forensic investigation exceedingly difficult.
Infection Mechanism and Lateral Propagation
The core of Yurei’s infection mechanism relies on PowerShell and native Windows utilities to propagate across removable and network drives. First, it queries all volumes of type removable via WMI and checks for an existing WindowsUpdate.exe at each root. If absent, it copies the ransomware executable from its temp staging directory. Next, it enumerates SMB shares via PowerShell’s Get-SmbShare cmdlet and iterates over each writable share path, using Copy-Item to drop System32Backup.exe.
Once copied, Yurei spawns each dropped instance remotely via a PSCredential-based CIM session or PsExec-style invocation, ensuring the payload executes under elevated privileges without user interaction. The script constructs a System.Management.Automation.PSCredential object and invokes Invoke-CimMethod to create a process on remote hosts, copying its own binary bytes to disk before execution.
By combining these stealthy propagation loops with aggressive anti-forensics—deleting VSS snapshots (vssadmin Delete Shadows /Quiet), clearing event logs, and overwriting its binary in memory—Yurei represents a highly automated, self-propagating threat designed for maximum network penetration and irreversible data compromise.
Defensive Implications and Recommendations
Despite its technical sophistication, Yurei’s failure to remove Volume Shadow Copies reveals a critical weakness. Organizations with VSS enabled can recover files without paying ransom, although leaked data remains at risk.
To mitigate the threat posed by Yurei ransomware, organizations should implement the following measures:
1. Regular Backups: Maintain up-to-date backups of critical data and store them offline to prevent ransomware from accessing and encrypting them.
2. Patch Management: Keep all systems and software updated with the latest security patches to close vulnerabilities that ransomware could exploit.
3. User Training: Educate employees on recognizing phishing emails and other common attack vectors to reduce the risk of initial infection.
4. Access Controls: Implement strict access controls and least privilege principles to limit the spread of ransomware within the network.
5. Network Segmentation: Divide the network into segments to contain the spread of ransomware and limit its impact on the organization.
6. Incident Response Plan: Develop and regularly update an incident response plan to ensure a swift and coordinated response to ransomware attacks.
By adopting these proactive measures, organizations can enhance their resilience against Yurei ransomware and similar threats, minimizing potential damage and ensuring business continuity.
