Ddos 
Yurei chat interface | Image: Check Point
Recently, researchers at Check Point Research (CPR) identified a new ransomware group calling itself Yurei—a name inspired by spirits from Japanese folklore. The group’s first listed victim was a Sri Lankan food manufacturing company, and within days, new victims from India and Nigeria were also added to its darknet leak site.
Like many modern cybercrime syndicates, Yurei follows a double-extortion model: encrypting victims’ files while simultaneously exfiltrating sensitive data to pressure organizations into paying ransoms. As CPR explains, “They encrypt the victim’s files and exfiltrate sensitive data, and then demand a ransom payment to decrypt and refrain from publishing the stolen information.”
One of the most striking aspects of Yurei is its reliance on open-source ransomware. CPR determined that the group’s malware is “derived with only minor modifications from Prince-Ransomware, an open-source ransomware family written in Go.”
This reliance on freely available malware code dramatically lowers the barrier to entry, enabling even low-skilled actors to launch global ransomware operations.
Yurei’s ransomware encrypts files with the ChaCha20 algorithm, appending the extension .Yurei. Interestingly, the developers did not strip symbols from the binary, leaving module and function names intact. This oversight made attribution straightforward: “It becomes clear that Yurei’s ransomware is largely based on an open-source ransomware named Prince-Ransomware, with only minor modifications.”
Despite its aggressive tactics, Yurei’s ransomware contains notable flaws. Most significantly, it does not delete Windows Volume Shadow Copies, leaving open a potential recovery avenue for victims.
As CPR notes, “Although the threat actor modified the codebase, the Yurei ransomware still has a major flaw: It does not delete existing Shadow copies… if Shadow Copies are enabled, the victim can restore their files to a previous snapshot without having to negotiate with Yurei.”
After infecting systems, Yurei drops a ransom note named _README_Yurei.txt, instructing victims to negotiate via a darknet .onion chat portal. The group promises a decryption tool.
Forensic analysis suggests Yurei may have ties to Morocco. All known samples were first uploaded from the region to VirusTotal, some potentially by the developer for detection testing. Additionally, HTML artifacts from their darknet portal contained Arabic comments, and file path traces indicated links to the SatanLockv2 ransomware family, also rooted in Prince-Ransomware.
Related Posts:
- Ransomware Gangs’ New Tactic: Weaponizing Legitimate Entities
- Outdated and Unblocked: Legacy Driver Vulnerability Exploited in Widespread Attack
- Akira v2 Emerges: Rust-Based Ransomware Raises the Stakes
- Google’s Chrome Browser Faces an Uncertain Future: Perplexity AI Makes a Bid
- UK Government May Retreat from iCloud Backdoor Demand After US Pressure & Apple’s ADP Pullback
Donate