Yurei Ransomware: The Ghost of Ransomware

How Yurei Works: Attack Methods and Technical Characteristics

While relatively new, Yurei has already established itself as a keen threat actor, particularly for businesses within South Asia. Breaking down Yurei attack methods allows for potential victims to address and prevent the oversights that Yurei takes advantage of.

Core Infection and Propagation

Yurei typically infiltrates networks via phishing emails or stolen remote desktop credentials. The first recorded victim of Yurei was in September 2025, when Sri Lankan food manufacturing company MidCity Marketing was attacked. Two other victims would follow in short order: on September 9th, Yurei posted the leaked details of two companies from India and Nigeria on their darknet victim blog.

Once Yurei has gained access to a device, the ransomware automatically detects any connected drives, flagging removable drives like USBs. It then initiates a stealth propagation loop, checking each removable drive for a copy of ‘WindowsUpdate.exe’. If no pre-existing file is found, it copies itself under that name.

At the same time, Yurei’s ransomware scans the device for SMB shares, which connect the infected device to any other trusted endpoints on the local network. Once detected, Yurei then writes itself onto the SMB shares, copying its payload as ‘system32_backup.exe’. Critically, the ransomware then exfiltrates any sensitive data that it finds to the attacker’s own servers, before finally executing a routine that deletes as many backup files as possible.

Crittografia

Golang – or Go – is an open-source programming language commonly used in microservice-architectured apps. While Go itself is provided by Google, there is a great deal of software that is based on this open-source offering, such as the streaming service Twitch – and the pre-existing Prince ransomware.

Prince is written in Go, and is itself available on GitHub: attackers are free to rip and edit the codebase at will, and Yurei’s ransomware is the end product of this modification. Go provides ‘goroutines’, which are lightweight threads that execute concurrently. This allows Yurei to perform encryption across all detected drives in parallel, significantly speeding up the encryption process. It uses the ChaCha20 algorithm to encrypt; a highly efficient algorithm that encrypts files bit by bit.

For every file Yurei encrypts, it creates a brand-new key and a nonce, which is a one-time number that keeps encryption from being tampered with. The jumbled files are then wrapped under another blanket layer of encryption. Within Yurei’s code is an ECIES public key – a public key that encrypts the individual files’ keys and nonces, so only someone with the matching private key (i.e., the attacker) can unwrap them.

Since Yurei ransomware analysis found that it’s a ChaCha20 ECIES ransomware, the ciphertext is wrapped with the key and nonce as a prefix. Yurei’s own decryption process, therefore, only needs to unwrap the public encryption to then rapidly identify the files that need decrypting.

Post-Encryption

Yurei’s deployment finishes with two things: a forensic cleanup, and a ransom note. Yurei’s self-destruct removes its own binaries and executables. Operating on a three-pass check system, the ransomware deletes as many of its files as possible, before scrubbing all metadata from its network and local activities. It renames its executable twice (each with random values), all in an effort to complicate the victim’s post-attack analysis.

From the end-user’s perspective, the first sign of Yurei’s successful deployment is an all-black desktop wallpaper. This is a leftover function from the original Prince ransomware. While Prince developers included a PowerShell command that downloads a custom wallpaper via the Windows API, Yurei failed to include a valid URL in the command.  As a result, Yurei’s PowerShell command errors out, and infected devices default to a solid dark background rather than displaying a ransom message wallpaper.

Rather than place the ransom note as the device background, Yurei instead drops a ransom note named ‘_README_Yurei.txt’ in every affected directory. The note asserts that Yurei has completely compromised the organization’s network, demands payment for files, and threatens to leak data if the payment demands aren’t met. Finally, it tells the victim to visit the attackers’ .tor site, and gives them a YueriSupp support token for negotiations.

Yurei’s Flaws

While Yurei may seem like a well-oiled operation, it’s worth highlighting a few technical flaws that its modified codebase has.

One oversight is the fact that on some victim devices, the ransomware fails to delete its own binaries post-encryption. Failing to strip debugging symbols makes it easier to decrypt files post-attack, because they often contain function names, variable names, and code structures. This information can then be leveraged by analysts to understand the malware’s encryption logic and remove the ransomware.

Even worse, this vulnerability becomes particularly noticeable on devices that have Volume Shadow Copy Service (VSS) enabled.  Shadow copies preserve previous states of files and entire volumes, and Yurei’s ransomware fails to consistently delete existing shadow copies that are on the system. This allows some Windows users to restore files to earlier versions – even after encryption.

These weaknesses – especially in the context of their ransomware being very similar to Prince – point to Yurei’s limited technical expertise. Note that this recovery method only addresses the encryption aspect for some victims – it doesn’t protect against data exfiltration, and even untrained attackers can wreak havoc on an organization’s systems.