In early September 2025, a new ransomware variant named Yurei emerged, targeting Windows systems with a sophisticated Go-based payload designed for rapid and extensive file encryption. Upon execution, Yurei systematically scans all accessible local and network drives, appending a .Yurei extension to each file and depositing unique ransom notes in every affected directory. The attackers demand payment through the Tor network, asserting that shadow copies, backups, and log files have been permanently deleted to hinder recovery efforts.
Distribution and Initial Compromise
Yurei primarily infiltrates systems through stolen credentials and spear-phishing campaigns. Once inside a network, it utilizes Windows Management Instrumentation (WMI) and credential-based remote execution to establish a foothold. The ransomware then stages itself in temporary folders and deploys PowerShell scripts to disable the Volume Shadow Copy Service (VSS) and delete all existing backups, effectively crippling standard recovery mechanisms.
Encryption Mechanism
The ransomware employs the ChaCha20 encryption algorithm, generating unique keys for each file. These keys are then encrypted using Elliptic Curve Integrated Encryption Scheme (ECIES) with the attackers’ public key. This dual-layer encryption ensures that each file is securely locked, and the corresponding keys are stored in a custom header separated by the ASCII marker `0x7c7c`. This method not only secures the encrypted data but also complicates forensic analysis and decryption efforts.
Propagation Techniques
Yurei’s propagation strategy is notably aggressive and multifaceted. It enters an infinite propagation loop, copying itself onto USB devices as WindowsUpdate.exe and into writable SMB shares as System32Backup.exe. This dual propagation method allows the malware to bypass network segmentation controls and spread laterally across connected systems with minimal detection.
Removable Media Propagation
The ransomware queries all removable volumes via WMI and checks for the presence of WindowsUpdate.exe at each root directory. If the file is absent, Yurei copies its executable from the temporary staging directory to the removable drive. This ensures that any connected USB devices become carriers of the malware, facilitating its spread to other systems when the devices are connected elsewhere.
Network Share Propagation
Yurei enumerates SMB shares using PowerShell’s Get-SmbShare cmdlet and iterates over each writable share path. It then uses the Copy-Item command to drop System32Backup.exe into these shares. Subsequently, Yurei remotely executes each dropped instance via a PSCredential-based CIM session or PsExec-style invocation, ensuring the payload runs with elevated privileges without user interaction.
Anti-Forensic Measures
To evade detection and hinder recovery, Yurei implements several anti-forensic techniques:
– Disabling VSS and Deleting Backups: The ransomware executes commands to disable the Volume Shadow Copy Service and delete all existing backups, preventing recovery of encrypted files.
– Clearing Event Logs: Yurei clears system event logs to erase traces of its activities, complicating forensic investigations.
– In-Memory Execution: The malware overwrites its binary in memory, reducing the likelihood of detection by traditional antivirus solutions.
Implications and Recommendations
Yurei’s combination of rapid encryption, aggressive propagation, and robust anti-forensic measures makes it a formidable threat to organizations. Its ability to spread through both removable media and network shares increases the risk of widespread infection.
To mitigate the threat posed by Yurei and similar ransomware variants, organizations should implement the following measures:
1. Regular Backups: Maintain up-to-date backups of critical data and store them offline to prevent ransomware from accessing and encrypting them.
2. Network Segmentation: Divide networks into segments to limit the spread of malware and restrict access to sensitive data.
3. User Education: Train employees to recognize phishing attempts and avoid opening suspicious emails or attachments.
4. Access Controls: Implement strict access controls and regularly review user permissions to minimize the risk of unauthorized access.
5. Patch Management: Keep all systems and software updated with the latest security patches to address known vulnerabilities.
6. Endpoint Protection: Deploy advanced endpoint protection solutions capable of detecting and responding to ransomware threats.
7. Incident Response Plan: Develop and regularly update an incident response plan to ensure a swift and coordinated response to ransomware attacks.
By adopting these proactive measures, organizations can enhance their resilience against ransomware attacks like Yurei and protect their critical assets from compromise.
