New Yurei Ransomware Emerges: Go-Based Variant Uses Advanced Anti-Forensics for Irreversible Double Extortion
Ddos 
Image: CYFIRMA
A new ransomware variant known as Yurei Ransomware has emerged, and according to researchers from CYFIRMA, it represents one of the most polished and professional double-extortion operations seen to date. Developed in Go and equipped with advanced encryption, anti-forensic, and propagation techniques, Yurei has been designed to leave victims with no viable path to recovery.
βYurei Ransomware is a sophisticated ransomware family designed to rapidly encrypt data, disable recovery options, and frustrate forensic investigation,β CYFIRMA explains in its technical analysis. βIt appends a β.Yureiβ extension to encrypted files, deletes shadow copies and system backups, and erases event logs to block restoration and hinder response.β
CYFIRMAβs report notes that the malware is built in Go, a language favored by modern threat actors for its cross-platform capability and efficient concurrency model. Once executed, Yurei βstages its payload from temporary directories, deploys polished ransom notes with Tor-based contact channels, and executes secure deletion routines to erase artifacts.β These behaviors, the researchers conclude, are βhallmarks of a professional, double-extortion-ready operation optimized for speed, stealth, and irreversible impact.β
The ransomware uses per-file ChaCha20 encryption keys that are individually wrapped with the attackerβs ECIES public key, making file decryption virtually impossible without the operatorβs cooperation. It then renames each encrypted file with the β.Yureiβ extension and plants ransom notes titled _README_Yurei.txt in every directory.
Yurei is far from a single-machine threat. It leverages a combination of SMB shares, removable drives, and credential-based remote execution (using tools such as PsExec and CIM sessions) to move laterally across networks.
The malware βcopies itself to USB drives and disguises as WindowsUpdate.exe,β and also spreads via βwritable SMB shares as System32_Backup.exe.β This combination, CYFIRMA notes, allows the infection to spread silently and persistently through both networked and physical vectors.
Once the encryption cycle completes, Yurei invokes anti-forensic routines β overwriting memory, cleaning logs, and securely deleting its own binaries. The report details a βselfDestruct function intended to fully erase the malware after it runs,β which includes βthree overwrite passes using cryptographically strong random bytesβ¦ before renaming and deleting the executable.β
Yureiβs ransom note reflects an operation aimed squarely at executives and decision-makers. During dynamic testing, CYFIRMA observed the ransomware dropping a message addressed βto management,β emphasizing total compromise, destroyed backups, and a threat of data leakage unless ransom is paid swiftly. The note also advertises βa 24-hour test decryptionβ and uses Tor-based chat links and unique victim tokens for negotiation and tracking.
βIts authoritative tone and double-extortion demands are intended to coerce rapid payment,β the researchers warn.
Interestingly, Yurei appears to be heavily derived from Prince Ransomware, an open-source ransomware project available on GitHub. CYFIRMAβs static analysis revealed preserved symbol names such as PrinceCrypto.dll and InitPrinceKeys() inside Yureiβs binary, as well as identical cryptographic implementation patterns.
βYureiβs binary retains function and module names from Prince,β CYFIRMA notes, βindicating code lineage.β The analysis also found βthe same ChaCha20 + ECIES scheme, file handling logic, and ransom note structure,β though Yureiβs developers enhanced concurrency through Goβs goroutines for faster encryption.
The first sample of Yurei Ransomware was identified on September 5, 2025, with an initial victim located in Sri Lankaβs food manufacturing sector. However, CYFIRMA cautions against drawing conclusions about the attackerβs nationality despite the Japanese name βYΕ«reiβ (meaning ghost or spirit), noting that malware submissions later originated from Morocco, Germany, and Turkey.
Compile-time metadata further revealed a Windows username (βintellockerβ) and a directory path (βD:\satanlockv2β), hinting at possible ties to SatanLockerV2, a previous ransomware strain.
Related Posts:
- New Android Spyware LianSpy Evade Detection for Years
- From TEA to ChaCha20: The Evolution of the Rimasuta Botnet
- Lumma Stealer Malware Now Using ChaCha20 Cipher for Evasion
- LockBit 5.0 Ransomware: Cross-Platform Evolution Targets Windows, Linux, and ESXi
- Yurei: The New Ransomware Group Using Open-Source Code to Target Businesses
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
