New Yurei Ransomware Emerges: Go-Based Threat Uses ChaCha20-Poly1305 for Irreversible Double Extortion

Security researchers at AhnLab have identified Yurei, a newly emerging ransomware group first observed in early September 2025. The group operates with a classic double-extortion model, infiltrating corporate networks, encrypting data, deleting backups, and demanding ransom for stolen information.

While many modern ransomware groups rely on Ransomware-as-a-Service (RaaS) ecosystems, Yurei currently appears to operate independently. AhnLab notes that “there is no clear evidence of their involvement in Ransomware as a Service (RaaS) or collaboration with other groups, there have been no reports of rebranding or modification of existing ransomware groups. Contact with victims is made through their dedicated dark web site.”

Yurei’s attacks have already impacted organizations in Sri Lanka and Nigeria, with targeted industries including:

• Transportation & logistics
• IT software
• Marketing & advertising
• Food & beverage

Yurei is written in Go, but unlike many other strains, it performs encryption with minimal preparation. The analysis highlights that “Yurei is a ransomware strain developed in Go” and uniquely “performs an encryption preparation routine without any special initial routines, such as changing permissions, setting argument values, creating mutexes, or decrypting strings, typically found in other ransomware strains.”

The malware immediately collects drive information and recursively searches for files to encrypt across all accessible storage paths.

To avoid destabilizing the victim’s operating system, Yurei excludes numerous directories, file types, and filenames from encryption. These include:

• 19 system directories (e.g., windows, system32, program files, efi)
• 14 file extensions (e.g., .sys, .dll, .exe, .Yurei)
• 7 specific files, including its own ransom note _README_Yurei.txt

AhnLab explains that Yurei’s exclusion logic is intentional: it avoids “re-encrypting files that have already been encrypted” and ensures victims can “check the ransom note and proceed with negotiations.”

Yurei uses a dual-layer cryptographic model combining:

• ChaCha20-Poly1305 for fast symmetric file encryption
• secp256k1-ECIES for securing the encryption keys

According to the analysis, “It uses the ChaCha20-Poly1305 algorithm for file encryption and generates a 32-byte key and a 24-byte nonce as random values.” These values are then “encrypted using the embedded public key in the secp256k1-ECIES method and stored inside the encrypted file.”

AhnLab emphasizes that this design “ensures that only the threat actor with the corresponding secp256k1-ECIES private key can decrypt the file.”

This approach makes unauthorized recovery virtually impossible without the attacker’s cooperation.

Yurei’s ransom note claims the attackers have:

• Breached internal infrastructure
• Deleted all accessible backups
• Stolen sensitive data (databases, financial documents, legal records, personal information)

The attackers warn that both self-recovery attempts and external recovery services may corrupt data, and threaten to leak or sell stolen information if victims fail to respond within five days.

Related Posts:

• New Yurei Ransomware Emerges: Go-Based Variant Uses Advanced Anti-Forensics for Irreversible Double Extortion
• Yurei: The New Ransomware Group Using Open-Source Code to Target Businesses
• Intel GPU Performance Hit by Security Mitigations: Ubuntu Weighs Disabling Them for 20% Boost
• Canonical Releases the New Minimal Ubuntu OS