Keypoints
- Yurei is a newly observed ransomware group (first public identification: September 2025) that targets corporate networks and negotiates via a dedicated dark web leak site.
- The ransomware is written in Go and uses ChaCha20‑Poly1305 for file encryption, generating a 32‑byte key and 24‑byte nonce per encryption operation.
- Per‑file encryption keys and nonces are protected using secp256k1‑ECIES (ECDH + KDF + AES‑GCM) so only the actor holding the corresponding private key can decrypt files.
- Yurei omits many common initial infection routines (no permission changes, no mutexes, no string decryption) and enumerates drives to locate targets, excluding system and backup paths.
- Excluded directories, file extensions, and filenames are explicitly listed (e.g., windows, system32, .exe, .dll, _README_Yurei.txt) to avoid damaging system files or re‑encrypting already encrypted files.
- The ransomware writes encrypted key material at the start of each encrypted file and processes file content in 64 KB blocks, preceded by an encrypted key||nonce delimiter.
- Ransom notes claim backup deletion, threaten data leaks and regulatory/competitive exposure, and pressure victims to respond within five days; victims are known in Sri Lanka and Nigeria across multiple industries.
MITRE Techniques
- [T1486] Data Encrypted for Impact – Yurei encrypts files using ChaCha20‑Poly1305 and per‑file protected keys via secp256k1‑ECIES to prevent recovery without payment. Quote: ‘…encrypts data, deletes backups, and then demands a ransom for the stolen information.’
- [T1083] File and Directory Discovery – Yurei obtains drive information and traverses drive paths to find encryption targets. Quote: ‘…routine to obtain the drive information of the current execution environment and traverse all drive paths to find encryption targets.’
- [T1490] Inhibit System Recovery – Yurei excludes system and backup directories from encryption and claims to delete accessible backups in ransom note to inhibit recovery. Quote: ‘…deleted all accessible backups.’
- [T1588.001] Acquire Infrastructure: Phishing Infrastructure (dark web contact) – Victim contact and negotiations occur via a dedicated dark web site for leak/communications. Quote: ‘Contact with victims is made through their dedicated dark web site.’
Indicators of Compromise
- [File Hash – MD5] Sample MD5 hashes observed in analysis or detections – 1263ffe930e8ccde5bc62b043a5b6bd8, 1f9700295e592ce3ea40b282e91597a2 (and 3 more hashes).
- [File Name] Ransom note filename used by Yurei – _README_Yurei.txt – present in encrypted folders to instruct victims.
- [File Extension] Yurei encrypted file extension – .Yurei – used to mark encrypted files.
- [Detection Name] Antivirus/EDR detections referencing Yurei/related families – Ransomware/Win.YureiCrypt.R721068, Ransomware/Win.YureiCrypt.R721188.
Read more: https://asec.ahnlab.com/en/90975/