Yurei Ransomware Uses Double-Extortion Tactics to Target Windows Networks

Overview

Yurei is a sophisticated ransomware strain that employs a double-extortion model, combining data encryption with data exfiltration. It primarily targets Windows-based networks, leveraging both network and physical vectors for propagation. The malware is written in Go and is derived from the open-source Prince Ransomware project, allowing threat actors to quickly deploy and customize the malware with minimal effort.

Who It Impacts

Yurei primarily targets organizations in sectors such as manufacturing, healthcare, and finance. The first known Yurei sample was detected on September 5, 2025, targeting a food manufacturing company in Sri Lanka. Subsequent infections have been reported in Germany, Turkey, and Morocco, indicating a rapidly expanding global campaign.

How It Impacts

Data Encryption: Yurei uses the ChaCha20 algorithm to encrypt files, appending the .Yurei extension. Each file is encrypted with a unique key, which is then wrapped using ECIES encryption with the attacker's public key, making decryption without the attacker’s cooperation virtually impossible.
Data Exfiltration: In addition to encrypting files, Yurei exfiltrates sensitive data and threatens to publish or sell it unless a ransom is paid. This dual threat increases pressure on victims to comply.
Propagation Methods: Yurei spreads through SMB shares, removable drives, and remote execution tools like PsExec and CIM. It disguises itself as System32_Backup.exe on SMB shares and WindowsUpdate.exe on USB drives, facilitating lateral movement across networks.
Anti-Forensics Measures: After encryption, Yurei employs anti-forensic techniques, including overwriting memory, cleaning logs, and securely deleting its own binaries, making forensic investigation challenging.
Ransom Note: A ransom note titled _README_Yurei.txt is dropped in every directory, demanding payment and threatening data leakage. Victims are provided with a Tor-based chat link and a unique victim token for negotiation.

Targeted Products

Perating Systems: Windows 7, 10, 11
Network Protocols: SMB, RDP
Remote Execution Tools: PsExec, CIM
Backup Solutions: Volume Shadow Copy Service (VSS)

Indicators of Compromise

Type	Indicator / Value
Onion Page	fewcriet5rhoy66k6c4cyvb2pqrblxtx4mekj3s5l4jjt4t4kn4vheyd[.]onion
File Extension	[.]Yurei
Ransom Note	READMEYurei[.]txt
SHA-256 Samples	49c720758b8a87e42829ffb38a0d7fe2a8c36dc3007abfabbea76155185d2902
	4f88d3977a24fb160fc3ba69821287a197ae9b04493d705dc2fe939442ba6461
	1ea37e077e6b2463b8440065d5110377e2b4b4283ce9849ac5efad6d664a8e9e
	10700ee5caad40e74809921e11b7e3f2330521266c822ca4d21e14b22ef08e1d
	89a54d3a38d2364784368a40ab228403f1f1c1926892fe8355aa29d00eb36819
	f5e122b60390bdcc1a17a24cce0cbca68475ad5abee6b211b5be2dea966c2634
	0303f89829763e734b1f9d4f46671e59bfaa1be5d8ec84d35a203efbfcb9bb15

Recommendations

Backup and Recovery:
- Maintain immutable backups and ensure they are not accessible from the network.
- Regularly test backup restoration processes to ensure data integrity.
Network Segmentation:
- Implement network segmentation to limit lateral movement of malware.
- Restrict access to critical systems and data based on the principle of least privilege.
Access Controls:
- Enforce strong authentication mechanisms, such as multi-factor authentication (MFA), for all remote access.
- Disable legacy protocols and ensure that only necessary ports and services are open.
Monitoring and Detection:
- Deploy endpoint detection and response (EDR) solutions to detect and respond to malicious activities.
- Monitor network traffic for unusual patterns indicative of data exfiltration.
Incident Response Planning:
- Develop and regularly update an incident response plan to address ransomware attacks.
- Conduct regular training and simulations to ensure readiness.

Reference :

https://cybersecuritynews.com/yurei-ransomware-leverages-smb-shares/
https://research.checkpoint.com/2025/yurei-the-ghost-of-open-source-ransomware/