Analysis of Encryption Structure of Yurei Ransomware Go-based Builder

SUMMARY :

The Yurei ransomware group, first identified in September 2025, employs a typical ransomware operation model targeting corporate networks. Their attacks have affected Sri Lanka and Nigeria, focusing on transportation, IT, marketing, and food industries. The ransomware, developed in Go, uses ChaCha20-Poly1305 for file encryption and secp256k1-ECIES for key protection. It excludes specific directories, extensions, and files from encryption to maintain system functionality. The encryption process generates a unique key and nonce for each file, ensuring only the threat actor can decrypt the data. The ransom note threatens data leaks and regulatory notifications if demands are not met within five days.

OPENCTI LABELS :

encryption,ransomware,go-based,yurei,chacha20-poly1305,corporate networks,secp256k1-ecies,darkweb


AI COMMENTARY :

1. Introduction: The Yurei ransomware group emerged in September 2025 as a formidable threat to corporate networks, leveraging a Go-based builder and advanced cryptographic techniques. Since its discovery, the group has executed targeted campaigns against high-value sectors, demonstrating a deep understanding of encryption workflows and network infiltration methods. Their operational model adheres to classic ransomware tactics while incorporating modern programming practices that challenge traditional defenses.

2. Operational Background: Yurei’s campaigns have primarily affected businesses in Sri Lanka and Nigeria, with particular focus on transportation, information technology, marketing, and food industries. By exploiting supply chain vulnerabilities and weak perimeter defenses, the group gains footholds in corporate environments before deploying their payload. Their choice of targets underscores a strategy designed to maximize pressure on organizations that rely heavily on uninterrupted operations and sensitive data integrity.

3. Go-Based Builder Architecture: The Yurei ransomware builder is written in the Go programming language, granting it cross-platform compatibility and ease of deployment. Go’s concurrency primitives allow the malware to process multiple files in parallel, accelerating encryption throughput. The builder compiles into a single binary, simplifying distribution through dark web forums and encrypted channels favored by the threat actors. This choice of language and structure exemplifies a shift toward more modular and resilient ransomware toolkits.

4. Encryption Mechanism with ChaCha20-Poly1305: At the core of Yurei’s payload lies the ChaCha20-Poly1305 algorithm, a modern cipher favored for its performance and authenticated encryption guarantees. For each file, the malware generates a unique 256-bit key and a 96-bit nonce, ensuring that no two encryption operations share identical parameters. This design prevents replay attacks and complicates mass decryption efforts, as each encrypted file demands a separate key and nonce combination. The integrity checks provided by Poly1305 protect against tampering and partial file corruption.

5. Directory and File Exclusions: To maintain system stability and allow the victim to read the ransom note, Yurei’s builder intentionally excludes critical system directories, database files, and common executable extensions from encryption. This whitelist approach targets user-generated and corporate data while preserving boot files and key system functionalities. By sparing these paths, the malware ensures that machines remain operational long enough for victims to view payment instructions and contact the threat actors.

6. Key Protection via secp256k1-ECIES: After generating the file-level keys, Yurei encrypts them using an elliptic curve integrated encryption scheme on the secp256k1 curve. This protects the symmetric keys with a robust public-key operation that only the attacker can reverse using the corresponding private key. Elliptic curve cryptography on secp256k1, the same curve popularized by blockchain technologies, offers strong security with relatively small key sizes, reducing overhead while thwarting brute-force and side-channel decryption attempts.

7. Ransom Note and Threats: Once encryption completes, victims receive a ransom note demanding payment within five days or face data leaks to public forums and notifications to regulators. The note references the stolen data as proof and threatens legal consequences for noncompliance, exploiting corporate concerns over reputational damage and regulatory fines. Payment instructions typically direct victims to the dark web, where anonymous negotiation channels and escrow services facilitate extortion while masking the attackers’ identities.

8. Implications and Mitigation Strategies: The sophistication of Yurei’s encryption structure underscores the need for robust defense-in-depth measures. Organizations should implement network segmentation, employ offline backups, and deploy endpoint detection tools capable of identifying anomalous file access patterns. Regular vulnerability assessments and employee training programs further reduce the likelihood of initial compromise. By understanding the technical details of Yurei’s Go-based builder and encryption schemes, defenders can tailor their controls to detect and disrupt such advanced ransomware operations before they inflict substantial damage.




OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Analysis of Encryption Structure of Yurei Ransomware Go-based Builder