Meet Yurei: The New Ransomware Group Rising from Open-Source Code
Summary:
First observed on September 5, Yurei is a newly emerged ransomware group that quickly established itself by listing a Sri Lankan food manufacturing company as its first victim. Within just a few days, the group added two more victims, one in India and another in Nigeria, showing a rapid growth trajectory for a new operation. Yurei operates under a double-extortion model, encrypting files while simultaneously exfiltrating sensitive data to pressure victims into paying ransoms. Their ransomware is written in Go and derived almost entirely from Prince-Ransomware, an open-source project, with only minor modifications. This reliance on pre-existing code underscores how open-source malware significantly lowers the barrier to entry, allowing even less experienced actors to stand up ransomware operations with minimal effort.Yurei’s encryption mechanism uses the ChaCha20 algorithm with encrypted keys appended to each file, but the ransomware suffers from a major flaw: it fails to remove Windows Shadow Copies, allowing partial recovery in environments where Volume Shadow Copy Service (VSS) is enabled.
Despite this oversight, Yurei relies heavily on the threat of data leakage as its main extortion lever, emphasizing reputational and regulatory risks for victims. Artifacts from VirusTotal submissions and code comments suggest the threat actors may be operating out of Morocco, with possible ties to prior ransomware families such as SatanLockv2. While the technical execution is unsophisticated, Yurei’s use of branding, a darknet leak site, and negotiation portals mirrors the tactics of more established ransomware groups, signaling intent to become a serious player in the ecosystem.
Security Officer Comments:
Yurei highlights the increasing accessibility of ransomware development through the repurposing of open-source projects. The group’s reliance on Prince-Ransomware code demonstrates a low barrier to entry: minor changes, such as adding concurrency for faster encryption and basic cosmetic adjustments, were enough to launch an operational campaign. While the technical execution is flawed, evidenced by unstripped binaries, inherited oversights like Shadow Copy persistence, and errors in wallpaper deployment, these mistakes do not negate the threat. By leveraging data-theft extortion rather than relying solely on encryption, Yurei sidesteps its own technical shortcomings, placing victims in the difficult position of managing both operational disruption and reputational damage.
Suggested Corrections:
https://research.checkpoint.com/2025/yurei-the-ghost-of-open-source-ransomware/
First observed on September 5, Yurei is a newly emerged ransomware group that quickly established itself by listing a Sri Lankan food manufacturing company as its first victim. Within just a few days, the group added two more victims, one in India and another in Nigeria, showing a rapid growth trajectory for a new operation. Yurei operates under a double-extortion model, encrypting files while simultaneously exfiltrating sensitive data to pressure victims into paying ransoms. Their ransomware is written in Go and derived almost entirely from Prince-Ransomware, an open-source project, with only minor modifications. This reliance on pre-existing code underscores how open-source malware significantly lowers the barrier to entry, allowing even less experienced actors to stand up ransomware operations with minimal effort.Yurei’s encryption mechanism uses the ChaCha20 algorithm with encrypted keys appended to each file, but the ransomware suffers from a major flaw: it fails to remove Windows Shadow Copies, allowing partial recovery in environments where Volume Shadow Copy Service (VSS) is enabled.
Despite this oversight, Yurei relies heavily on the threat of data leakage as its main extortion lever, emphasizing reputational and regulatory risks for victims. Artifacts from VirusTotal submissions and code comments suggest the threat actors may be operating out of Morocco, with possible ties to prior ransomware families such as SatanLockv2. While the technical execution is unsophisticated, Yurei’s use of branding, a darknet leak site, and negotiation portals mirrors the tactics of more established ransomware groups, signaling intent to become a serious player in the ecosystem.
Security Officer Comments:
Yurei highlights the increasing accessibility of ransomware development through the repurposing of open-source projects. The group’s reliance on Prince-Ransomware code demonstrates a low barrier to entry: minor changes, such as adding concurrency for faster encryption and basic cosmetic adjustments, were enough to launch an operational campaign. While the technical execution is flawed, evidenced by unstripped binaries, inherited oversights like Shadow Copy persistence, and errors in wallpaper deployment, these mistakes do not negate the threat. By leveraging data-theft extortion rather than relying solely on encryption, Yurei sidesteps its own technical shortcomings, placing victims in the difficult position of managing both operational disruption and reputational damage.
Suggested Corrections:
- Adopt a connected security architecture that integrates endpoint, network, and identity protection, especially across hybrid and multi-cloud environments.
- Deploy anti-phishing at scale, including user awareness, email scanning, and behavioral analytics that can detect AI-generated lures.
- Use deception and threat hunting to expose affiliate activity and lateral movement early in the attack chain.
- Segment your backups and test recovery regularly. Don’t assume immunity based on policy or past success.
https://research.checkpoint.com/2025/yurei-the-ghost-of-open-source-ransomware/