A new and sophisticated strain of ransomware, dubbed Yurei, has surfaced in the cybersecurity landscape, first being publicly identified in early September 2025. This Go-based malware operates by infiltrating corporate networks, encrypting critical data, and demanding ransom for its return, often while also threatening to leak stolen information. The emergence of Yurei ransomware signifies another challenge for organizations seeking to protect their sensitive data from evolving cyber threats.
Yurei ransomware follows a common but destructive operation model, targeting businesses by gaining unauthorized access to their networks. Once inside, it proceeds to encrypt valuable data, a move often preceded by the deletion of existing backups to impede recovery efforts. The threat actors then establish communication through a dedicated dark web site, where they engage with victims to negotiate ransom payments. These demands are reportedly tailored to the financial standing of the targeted company, indicating a calculated approach to maximizing their illicit gains.
Known victims of Yurei ransomware attacks have so far been identified in Sri Lanka and Nigeria. The primary industries targeted include transportation and logistics, IT software, marketing and advertising, and the food and beverage sectors. Unlike many modern ransomware operations that are part of larger Ransomware-as-a-Service (RaaS) ecosystems or involve collaborations between different cybercrime entities, current analysis by security researchers indicates no clear evidence linking Yurei to such models. The threat actors appear to be operating independently, assessing each victim’s financial capacity to determine ransom amounts, though specific figures have not been publicly disclosed.
Yurei Ransomware’s Sophisticated Encryption Mechanism
Security researchers at ASEC have highlighted that Yurei ransomware distinguishes itself through its advanced encryption techniques. The malware employs the ChaCha20-Poly1305 algorithm, a strong symmetric cipher, for encrypting files. During this process, it generates a unique 32-byte key and a 24-byte nonce, both derived from random values. These crucial encryption keys are then further protected using the secp256k1-ECIES method. This method incorporates an embedded public key, ensuring that only the threat actor possessing the corresponding private key can successfully decrypt the encrypted files, making unauthorized recovery extremely difficult.
This inherent dual-layer encryption design is a significant barrier for victims, rendering unauthorized decryption virtually impossible without succumbing to the ransom demand. The complexity of the encryption process underscores the technical proficiency of the Yurei ransomware developers and the serious threat it poses to victim data confidentiality.
File Encryption Process Details
The encryption process initiated by Yurei begins with a comprehensive scan of the infected system to locate all accessible drives and identify potential targets for encryption. To avoid rendering the entire system inoperable, the ransomware is programmed to deliberately exclude critical system directories such as Windows, System32, and Program Files. Additionally, it bypasses files with specific extensions like .sys, .exe, .dll, and its own encrypted file marker, .Yurei, to prevent unnecessary re-encryption of already compromised data.
Files are encrypted in discrete 64 KB block units utilizing the ChaCha20-Poly1305 algorithm. The encrypted key and nonce are then appended to the beginning of each encrypted file, separated by the delimiter “||.” The secp256k1-ECIES encryption method employed by Yurei leverages Elliptic Curve Diffie-Hellman (ECIES) to establish a shared secret. This shared secret is subsequently transformed through a key derivation function, ultimately serving as the encryption key for AES-GCM. A randomly generated temporary nonce further ensures that each encryption event yields a unique outcome, effectively thwarting any attempts by victims to conduct independent recovery efforts based on previous encryption patterns.
The ransom note, consistently delivered as “_README_Yurei.txt,” delivers a stark ultimatum to victims. It warns that failure to comply with the ransom demand within a five-day timeframe will result in the permanent deletion of the decryption key. Furthermore, the note explicitly states the threat actors’ intention to leak the collectively stolen data—which may include sensitive databases, financial documents, and personal information—onto the dark web. This tactic of threatening data exfiltration and leak is a common but highly effective pressure point used by ransomware groups to compel victims into paying.
The ongoing presence and sophistication of Yurei ransomware highlight the persistent evolution of cybercriminal tactics. As organizations continue to grapple with cybersecurity challenges, the actions of groups like the Yurei operators underscore the need for robust defense strategies, including regular software patching, comprehensive data backup solutions, and effective employee security awareness training. Future developments will likely focus on the group’s expansion of targets, potential shifts in their operational tactics, and whether any law enforcement actions or counter-intelligence efforts emerge to disrupt their activities.