Yurei is a newly emerged ransomware group, first observed in September 2025, that follows a double-extortion model—encrypting victims’ files while also exfiltrating sensitive data. According to cybersecurity researchers, including Check Point Research (CPR), Yurei operates with a slightly modified version of the open-source Prince-Ransomware, lowering the entry barrier for less experienced cybercriminals.
The group has primarily targeted victims in Sri Lanka, India, and Nigeria. Written in Go and derived from Prince-Ransomware, Yurei employs the ChaCha20 cipher for encryption and leverages PowerShell automation. Compared to its predecessor, it features faster file encryption and extends support to network drives. However, it fails to remove Volume Shadow Copies, leaving an opportunity for potential data recovery. The investigation revealed hints that the threat actor’s origins may be in Morocco.
The ransom note is dropped as _README_Yurei.txt and directs
victims to visit the group’s website and join a live chat using a provided
access token for negotiation. The actors promise that, upon payment, they will
supply a decryption tool and a report detailing the vulnerabilities exploited
to compromise the environment.
Ransom note.
Ransom note (second part).
Processes flow from Triage
Technical Analysis
The ransomware is written in the Go programming language, which presents detection challenges for some antivirus vendors while offering easier development and cross-platform compilation capabilities.
In main function will see two methods responsible for decryption all drives and run PowerShell Command to connect with URL to download Wallpaper. We will go into two methods to know the structures for them.
Ransom Main
In Yurei_filewalker_EncryptAllDrivesAndNetwork will collide by
Yurei_filewalker_getAllDrives that is method is responsible for
Enumerates all available drivers on the infected system.
In this part, it loops through drive letters A–Z and returns the drives that are present on the victim machine.
Yurei_filewalker_getAllDrives1.1
After retrieving and saving the drive letters, it constructs drive paths by concatenating each letter with the string :\ to produce (C:\). It then checks each path’s existence using os.Stat() to verify which drives are accessible. The component builds a list of drives that actually exist on the system and finally returns a slice containing all valid drive paths found.
Yurei_filewalker_getAllDrives1.2
Allocates memory for a goroutine context structure and v21 becomes a pointer to the newly allocated object. Store the function table pointer at offset 1 (v21[1]) to call that function.
V21[1] → Yurei_filewalker_EncryptAllDrivesAndNetwork_func1
In Yurei_filewalker_EncryptAllDrivesAndNetwork_func1 Calling
path_filepath_Walk and
Is responsible for getting all files and directories, by recursive walk to get all subdirectories will be used in encryption process.
Inside path_filepath_Walk
off_561E98 →
Yurei_filewalker_EncryptAllDrivesAndNetwork_func1_EncryptDirectory_2
In
Yurei_filewalker_EncryptAllDrivesAndNetwork_func1_EncryptDirectory_2
will call fileStat_IsDir to Determines if a file path refers to a
directory or a regular file.
call fileStat_IsDir
The ransomware uses the list of offset off_C5B8B0 to avoid
encrypting specific directory names and to not drop
_README_Yurei.txt in folder of list.
path_filepath_Base Isolates the specific directory or filename
that needs to be checked.
strings_ToLower Also converts the target name from the list to
lower case.
strings_EqualFold Compares the normalized name against the
blocklist without case sensitivity.
This part is responsible for creating the ransom note _README_Yurei.txt
in a directory if it doesn't already exist in block list in offset
off_C5B8B0. Will Build the Full File Path by calling
path_filepath_Join to combine the current directory path with the
ransom note filename.
Check if File Already Exists calling os_Stat checks if the file
exists and calling os_IsNotExist returns true if the file is not
found.
Create and Write the Ransom Note off_C5B320 points to the actual
ransom note text content and set file permissions rw-rw-rw- , calling
os_WriteFile to create the file with the ransom note content.
Drop note
Will test that by run the malware in Triage. And that Screen approves that
after running Yurei it will not encryption and drop in directories from
Blocklist in offset off_C5B8B0.
This part of file process is responsible for like path 1 to filtering what will encrypt or not encrypted. And that is meaning the ransomware it Enumerates all available drives and files on the victim system.
FILE PROCESSING
We can see in this photo the Yurei not encrypted the History.txt in directory Program Files.
After Run Yurei 1.1
But here, it compares two files with the same name and identical content—the one on the left located in 'C:\' it was encrypted and the one on the right located in 'C:\Windows' it wasn't encrypted.
Cmp in different locations
Cmp content in different locations
In here is Part of start Encryption Process in offset
off_B41EA0 for the All drives and files it collected.
Check Exclusions by calling Yurei_encryption_isExcluded If the
file path matches the exclusion list (extensions like .sys, .dll, .exe, or
system folders), the function logs it and exits without encrypting.
Open Target file by calling os_OpenFile to open the victim’s file
for reading.
Target Files
Key Generation
github_com_ecies_go_Encrypt Encrypts the symmetric key
and nonce using ECIES, this ensures only attackers who own the private key
can decrypt the session key + nonce. Protects the encryption keys from
recovery.
Asymmetric Encryption
golang_org_x_crypto_chacha20_newUnauthenticatedCipher. To
Creates ChaCha20 cipher with the generated key and nonce used as the stream
cipher for actual file content encryption.
[ECIES-Encrypted Key] || [ECIES-Encrypted Nonce] || [ChaCha20-Encrypted File Data]
This is the wallpaper setting function of the ransomware. It's responsible for downloading and setting custom wallpaper on the victim's machine, which typically contains the ransom note and payment instructions.
In the first it will use temp directory to create full path for where "Wallpaper.png" will save, Constructs PowerShell command to download wallpaper and qword_684180 points to attacker's server URL. in End will Saves to TEMP directory as Wallpaper.png
Runs PowerShell invisibly (HideWindow = 1) to Downloads wallpaper from attacker's server, and set wallpaper by using windows API Creates C# code to call Windows API SystemParametersInfo and take two parameters to Sets the downloaded image as wallpaper:
In End will Execute Wallpaper Setting by Runs PowerShell invisibly again and applies the wallpaper change.
You can get back to Image Processes flow from Triage will see that all commands.
Once finished the encryption process will go in infinite loop to Iterates
through network paths by calling Uses path_filepath_Walk to
recursively process each network location and use the same logic encryption.
Network Share Enumeration
So, we can now see the Processing in Yurei follows a systematic approach to encryption:
Yurei encrypted using the ChaCha20 algorithm for file encryption and are appended to the .Yurei extension, Yurei generating unique random keys and random nonces for each file. The ransomware encrypts both the ChaCha20 key and nonce using ECIES (Elliptic Curve Integrated Encryption Scheme) with the attacker’s public key. encrypted files then store the encrypted key, nonce, and file content, Separates them || .
| Tactic Name | Tactic ID |
|---|---|
| Execution | TA0002 |
| Persistence | TA0003 |
| Privilege Escalation | TA0004 |
| Defense Evasion | TA0005 |
| Discovery | TA0007 |
| Collection | TA0009 |
| Command and Control | TA0011 |
| Impact | TA0040 |