CYFIRMA has observed a new ransomware strain, Yurei, emerging in early September 2025 that targets Windows environments with highly sophisticated encryption and anti-forensic techniques.
Written in Go, Yurei appends a .Yurei extension to every encrypted file after generating a unique ChaCha20 key/nonce pair for each file.
These per-file keys are wrapped using the attacker’s embedded ECIES public key, and the resulting wrapped key and nonce are prefixed to the ciphertext with an explicit “||” delimiter (0x7c7c).
This header structure allows the attacker’s decryptor to parse keys reliably, while the chunked encryption process operating in 2 MiB blocks minimizes memory usage and streamlines the encryption of large files.
Before encryption, Yurei executes a disableBackups routine that invokes PowerShell commands via Go’s os/exec to delete all Volume Shadow Copies (vssadmin Delete Shadows /All /Quiet) and backup catalogs (wbadmin Delete Catalog -Quiet).
It also stages payloads in %LOCALAPPDATA%\Temp and drops copies at drive roots as WindowsUpdate.exe or svchost.exe.
To mask its actions and heighten victim distress, the ransomware utilizes a PowerShell wrapper that calls the Windows SystemParametersInfo API to change the desktop wallpaper to a solid dark color.
After encryption, files are atomically replaced, and intermediate temp files are securely deleted, leaving minimal forensic traces of the process.
Memory and console cleanup routines further enhance Yurei’s stealth. The malware issues Clear-Host commands to remove console history, forces garbage collection to flush managed objects, and overwrites residual heap data with cryptographically random bytes.
The final self-destruct function performs a three-pass secure deletion of its binary, renames the executable twice using random names, cleans file metadata including timestamps and Master File Table entries, and removes the binary entirely, effectively erasing persistence mechanisms and complicating forensic analysis.
Stealth Propagation and Lateral Movement
Yurei employs a continuous stealthPropagation loop to infect removable media and network shares. The malware enumerates all removable drives, copying itself as WindowsUpdate.exe if that filename is absent in the drive’s root.
Concurrently, it scans writable SMB shares by iterating UNC paths and copies the payload as System32_Backup.exe.
It leverages PSCredential objects and CIM sessions to perform credential-based lateral execution in a PsExec-style fashion, using net use \\<ip>\IPC$ to establish connections, copy its binary, and execute it remotely before closing the session.
This multi-pronged approach ensures rapid, lateral spread across segmented networks while evading simple detection techniques.
Double-Extortion and Ransom Negotiation
Upon completion of encryption, Yurei generates a ransom note named _README_Yurei.txt in every affected directory.
The note is crafted in a management-targeted style, asserting a full network compromise, demanding payment for file recovery, and threatening to publish data if the demands are not met. Victims are offered a one-file free decryption within 24 hours to prove decryption capability.
Communications are conducted over Tor, with links to a blog and a chat .onion address. Each victim is assigned a unique Ticket ID and a YureiSupp support token to facilitate negotiations and track victims.
Cybersecurity analysis reveals a significant overlap between Yurei and the open-source Prince-Ransomware project.
Yurei retains many Prince functions and module names (e.g., InitPrinceKeys()), mirrors the ChaCha20+ECIES encryption scheme, and replicates drive enumeration logic.
Notably, Yurei enhances Prince’s single-threaded design by introducing Go goroutines for parallel encryption, while improving ransom-note professionalism and embedding robust self-cleaning routines.
However, inherited flaws remain, such as incomplete VSS deletion in certain edge cases and wallpaper misconfiguration that defaults to a blank background if the specified file is missing.
Organizations must adopt a multi-layered defense strategy to mitigate Yurei’s impact: enforce immutable, air-gapped backup policies with quarterly restore drills; deploy EDR rules to detect ChaCha20/ECIES file headers and suspicious PowerShell commands; implement MFA and least-privilege on all remote administration interfaces; and establish rapid containment playbooks that automate host isolation and backup verification.
Proactive hunting for PSCredential/CIM session artifacts, anomalous SMB write activity, and the presence of .Yurei extensions can further reduce time-to-detection and limit irreversible data loss.
Continuous monitoring, incident response readiness, and threat intelligence integration are crucial in countering this high-speed, anti-forensics ransomware threat.
INDICATORS OF COMPROMISE
| Indicator | Type | Remarks |
| 1263280c916464c2aa755a81b0f947e769c8a735a74a172157257fca340e1cf4 | Sha256 | 3dec9093b6da575c8700a9eb.ps1 |
| 4f88d3977a24fb160fc3ba69821287a197ae9b04493d705dc2fe939442ba6461 | Sha256 | YureiRansomware.exe |
| hXXp[:]//fewcriet5rhoy66k6c4cyvb2pqrblxtx4mekj3s5l4jjt4t4kn4vheyd[.]onion | URL | BLOG LINK |
| hXXp[:]//fewcriet5rhoy66k6c4cyvb2pqrblxtx4mekj3s5l4jjt4t4kn4vheyd[.]onion/chat/777676f8-2313-425f-873a-65c4df8d5def/chat[.]php | URL | CHAT LINK |
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
