New Yurei Ransomware Emerges: Go-Based Variant Uses Advanced Anti-Forensics for Irreversible Double Extortion

A new ransomware variant known as Yurei Ransomware has emerged, and according to researchers from CYFIRMA, it represents one of the most polished and professional double-extortion operations seen to date. Developed in Go and equipped with advanced encryption, anti-forensic, and propagation techniques, Yurei has been designed to leave victims with no viable path to recovery.

“Yurei Ransomware is a sophisticated ransomware family designed to rapidly encrypt data, disable recovery options, and frustrate forensic investigation,” CYFIRMA explains in its technical analysis. “It appends a ‘.Yurei’ extension to encrypted files, deletes shadow copies and system backups, and erases event logs to block restoration and hinder response.”

CYFIRMA’s report notes that the malware is built in Go, a language favored by modern threat actors for its cross-platform capability and efficient concurrency model. Once executed, Yurei “stages its payload from temporary directories, deploys polished ransom notes with Tor-based contact channels, and executes secure deletion routines to erase artifacts.” These behaviors, the researchers conclude, are “hallmarks of a professional, double-extortion-ready operation optimized for speed, stealth, and irreversible impact.”

The ransomware uses per-file ChaCha20 encryption keys that are individually wrapped with the attacker’s ECIES public key, making file decryption virtually impossible without the operator’s cooperation. It then renames each encrypted file with the “.Yurei” extension and plants ransom notes titled _README_Yurei.txt in every directory.

Yurei is far from a single-machine threat. It leverages a combination of SMB shares, removable drives, and credential-based remote execution (using tools such as PsExec and CIM sessions) to move laterally across networks.

The malware “copies itself to USB drives and disguises as WindowsUpdate.exe,” and also spreads via “writable SMB shares as System32_Backup.exe.” This combination, CYFIRMA notes, allows the infection to spread silently and persistently through both networked and physical vectors.

Once the encryption cycle completes, Yurei invokes anti-forensic routines — overwriting memory, cleaning logs, and securely deleting its own binaries. The report details a “selfDestruct function intended to fully erase the malware after it runs,” which includes “three overwrite passes using cryptographically strong random bytes… before renaming and deleting the executable.”

Yurei’s ransom note reflects an operation aimed squarely at executives and decision-makers. During dynamic testing, CYFIRMA observed the ransomware dropping a message addressed “to management,” emphasizing total compromise, destroyed backups, and a threat of data leakage unless ransom is paid swiftly. The note also advertises “a 24-hour test decryption” and uses Tor-based chat links and unique victim tokens for negotiation and tracking.

“Its authoritative tone and double-extortion demands are intended to coerce rapid payment,” the researchers warn.

Interestingly, Yurei appears to be heavily derived from Prince Ransomware, an open-source ransomware project available on GitHub. CYFIRMA’s static analysis revealed preserved symbol names such as PrinceCrypto.dll and InitPrinceKeys() inside Yurei’s binary, as well as identical cryptographic implementation patterns.

“Yurei’s binary retains function and module names from Prince,” CYFIRMA notes, “indicating code lineage.” The analysis also found “the same ChaCha20 + ECIES scheme, file handling logic, and ransom note structure,” though Yurei’s developers enhanced concurrency through Go’s goroutines for faster encryption.

The first sample of Yurei Ransomware was identified on September 5, 2025, with an initial victim located in Sri Lanka’s food manufacturing sector. However, CYFIRMA cautions against drawing conclusions about the attacker’s nationality despite the Japanese name “Yūrei” (meaning ghost or spirit), noting that malware submissions later originated from Morocco, Germany, and Turkey.

Compile-time metadata further revealed a Windows username (“intellocker”) and a directory path (“D:\satanlockv2”), hinting at possible ties to SatanLockerV2, a previous ransomware strain.

Related Posts:

• New Android Spyware LianSpy Evade Detection for Years
• From TEA to ChaCha20: The Evolution of the Rimasuta Botnet
• Lumma Stealer Malware Now Using ChaCha20 Cipher for Evasion
• LockBit 5.0 Ransomware: Cross-Platform Evolution Targets Windows, Linux, and ESXi
• Yurei: The New Ransomware Group Using Open-Source Code to Target Businesses