Threat Research

Yurei & The Ghost of Open Source Ransomware

Checkpoint
Yurei & The Ghost of Open Source Ransomware

Yurei is a newly observed ransomware group that launched operations on September 5, targeting organizations in Sri Lanka, India, and Nigeria and using a double-extortion model to encrypt files (adding a .Yurei extension) and exfiltrate data via a darknet blog and negotiation chat on an .onion site. Analysis shows Yurei’s binary is derived with minor modifications from the open‑source Prince‑Ransomware (written in Go), inherits flaws such as not deleting Volume Shadow Copies, and exhibits indicators linking some artifacts and uploads to Morocco. #Yurei #Prince-Ransomware

Keypoints

  • Yurei first appeared on September 5 and quickly listed victims from Sri Lanka, India, and Nigeria, reaching at least three known victims within days.
  • The ransomware is written in Go and was found to be largely based on the open‑source Prince‑Ransomware project, with only minor changes (e.g., concurrent drive encryption via goroutines).
  • Yurei uses ChaCha20 per-file encryption with ECIES-wrapped keys and appends the .Yurei extension; encrypted files store key/nonce/content separated by “||”.
  • The group operates a darknet blog and negotiation .onion chat where victims are given a ticket ID and offered decryptor and a “security report” upon payment, following a double‑extortion approach.
  • Because Yurei does not delete Volume Shadow Copies (VSS), victims with VSS enabled may be able to restore files from snapshots; however, exfiltration undermines recovery by enabling extortion via data leakage.
  • Observations include submissions to VirusTotal originating from Morocco, an Arabic comment in the .onion HTML, and local path artifacts referencing satanlockv2, leading to a low‑confidence assessment of Moroccan ties.
  • Yurei’s lack of anti-analysis measures (symbols left in binary) and reuse of open‑source code highlight how low-skilled actors can rapidly deploy ransomware but also inherit detectable weaknesses.

MITRE Techniques

  • [T1486] Data Encrypted for Impact – The ransomware encrypts files using ChaCha20 and appends the .Yurei extension; article: “Files are encrypted using the ChaCha20 algorithm and are appended the .Yurei extension.”
  • [T1489] Disk Content Wipe – (Not implemented) The malware does not delete Volume Shadow Copies, enabling recovery: “It does not delete existing Shadow copies…if Shadow Copies are enabled, the Victim can restore their files to a previous snapshot.”
  • [T1530] Data from Network Shared Drive – The ransomware monitors and encrypts newly attached network drives: “Waits and monitors for newly attached network drives to then encrypt” and described via the monitorNetworkShares routine.
  • [T1112] Modify Registry or File Associations (Wallpaper change) – The malware attempts to set a wallpaper via PowerShell/.NET calls, using commands to download Wallpaper.png and call SystemParametersInfo SPI_SETDESKWALLPAPER: “The next command then compiles a .NET assembly to call SystemParametersInfo with SPI_SETDESKWALLPAPER to set the current wallpaper.”
  • [T1036] Masquerading (Ransom note naming) – The ransomware drops a ransom note named _README_Yurei.txt and instructs victims to use the provided .onion chat and ticket ID: “The ransom note is dropped as _README_Yurei.txt and instructs the victim to visit their site and enter their chat using a provided access token.”
  • [T1560] Archive Collected Data (Data Exfiltration) – The actors exfiltrate sensitive corporate data prior to encryption and threaten publication: “we have exfiltrated a large amount of your corporate data prior to encryption” and use a leak site to pressure victims.

Indicators of Compromise

  • [Onion Page] Yurei darknet blog/chat – fewcriet5rhoy66k6c4cyvb2pqrblxtx4mekj3s5l4jjt4t4kn4vheyd.onion
  • [File Hashes] Yurei ransomware samples – examples: 49c720758b8a87e42829ffb38a0d7fe2a8c36dc3007abfabbea76155185d2902, 4f88d3977a24fb160fc3ba69821287a197ae9b04493d705dc2fe939442ba6461 (and several more hashes)
  • [File Hashes] SatanLockV2 related sample – example: afa927ca549aaba66867f21fc4a5d653884c349f8736ecc5be3620577cf9981f
  • [File Name] Ransom note – _README_Yurei.txt (instructions and .onion links included)
  • [Local Path Artifact] Build/path artifact – D:satanlockv2* (indicates possible reuse or relation to SatanLockV2)

Read more: https://research.checkpoint.com/2025/yurei-the-ghost-of-open-source-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint