Ddos 
Yurei chat interface | Image: Check Point
Recently, researchers at Check Point Research (CPR) identified a new ransomware group calling itself Yureiβa name inspired by spirits from Japanese folklore. The groupβs first listed victim was a Sri Lankan food manufacturing company, and within days, new victims from India and Nigeria were also added to its darknet leak site.
Like many modern cybercrime syndicates, Yurei follows a double-extortion model: encrypting victimsβ files while simultaneously exfiltrating sensitive data to pressure organizations into paying ransoms. As CPR explains, βThey encrypt the victimβs files and exfiltrate sensitive data, and then demand a ransom payment to decrypt and refrain from publishing the stolen information.β
One of the most striking aspects of Yurei is its reliance on open-source ransomware. CPR determined that the groupβs malware is βderived with only minor modifications from Prince-Ransomware, an open-source ransomware family written in Go.β
This reliance on freely available malware code dramatically lowers the barrier to entry, enabling even low-skilled actors to launch global ransomware operations.
Yureiβs ransomware encrypts files with the ChaCha20 algorithm, appending the extension .Yurei. Interestingly, the developers did not strip symbols from the binary, leaving module and function names intact. This oversight made attribution straightforward: βIt becomes clear that Yureiβs ransomware is largely based on an open-source ransomware named Prince-Ransomware, with only minor modifications.β
Despite its aggressive tactics, Yureiβs ransomware contains notable flaws. Most significantly, it does not delete Windows Volume Shadow Copies, leaving open a potential recovery avenue for victims.
As CPR notes, βAlthough the threat actor modified the codebase, the Yurei ransomware still has a major flaw: It does not delete existing Shadow copiesβ¦ if Shadow Copies are enabled, the victim can restore their files to a previous snapshot without having to negotiate with Yurei.β
After infecting systems, Yurei drops a ransom note named _README_Yurei.txt, instructing victims to negotiate via a darknet .onion chat portal. The group promises a decryption tool.
Forensic analysis suggests Yurei may have ties to Morocco. All known samples were first uploaded from the region to VirusTotal, some potentially by the developer for detection testing. Additionally, HTML artifacts from their darknet portal contained Arabic comments, and file path traces indicated links to the SatanLockv2 ransomware family, also rooted in Prince-Ransomware.
Related Posts:
- Ransomware Gangs’ New Tactic: Weaponizing Legitimate Entities
- Outdated and Unblocked: Legacy Driver Vulnerability Exploited in Widespread Attack
- Akira v2 Emerges: Rust-Based Ransomware Raises the Stakes
- Google’s Chrome Browser Faces an Uncertain Future: Perplexity AI Makes a Bid
- UK Government May Retreat from iCloud Backdoor Demand After US Pressure & Apple’s ADP Pullback
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
