A brand new risk has emerged within the ransomware panorama with the invention of Yurei ransomware, first publicly recognized in early September 2025.
This Go-based malware follows a typical ransomware operation mannequin by infiltrating company networks, encrypting vital knowledge, deleting backups, and demanding ransom for stolen info.
The group operates by a devoted darkish web page the place they contact victims and negotiate fee phrases primarily based on the monetary standing of every focused firm.
The recognized victims of Yurei ransomware assaults embrace organizations in Sri Lanka and Nigeria, with major targets in transportation and logistics, IT software program, advertising and marketing and promoting, and meals and beverage industries.
Not like many fashionable ransomware operations, there is no such thing as a clear proof linking Yurei to Ransomware as a Service fashions or collaboration with different cybercrime teams.
The risk actors calculate ransom calls for on a case-by-case foundation after reviewing the sufferer’s monetary place, although particular ransom quantities haven’t been publicly disclosed.
ASEC safety researchers recognized that Yurei ransomware stands out for its subtle encryption method.
The malware makes use of the ChaCha20-Poly1305 algorithm for file encryption, producing a 32-byte key and a 24-byte nonce as random values.
These encryption keys are then protected utilizing the secp256k1-ECIES technique with an embedded public key, making certain solely the risk actor holding the corresponding non-public key can decrypt information.
Yurei ransomware DLS web site (Supply – ASEC)
This dual-layer encryption design makes unauthorized decryption just about unattainable with out paying the ransom.
File Encryption Mechanism
The encryption course of begins with Yurei scanning the contaminated system to establish all accessible drives and potential encryption targets.
The ransomware intentionally excludes vital system directories like Home windows, System32, and Program Recordsdata to stop full system failure.
It additionally skips information with extensions comparable to .sys, .exe, .dll, and .Yurei (its personal encrypted file marker) to keep away from re-encrypting already compromised information.
Recordsdata are encrypted in 64 KB block items utilizing ChaCha20-Poly1305, with the encrypted key and nonce saved at first of every file utilizing the “||” delimiter.
The secp256k1-ECIES encryption technique employed by Yurei makes use of Elliptic Curve Diffie-Hellman to create a shared secret, which is then reworked by a key derivation operate to function the AES-GCM encryption key.
A randomly generated non permanent nonce ensures totally different encryption outcomes every time, stopping victims from making an attempt unbiased restoration.
The ransom notice, saved as “_README_Yurei.txt”, threatens to delete the decryption key and leak stolen knowledge together with databases, monetary paperwork, and private info on the darkish internet if victims fail to reply inside 5 days.
Observe us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates, Set CSN as a Most well-liked Supply in Google.
