Yurei the New Ransomware Group on the Scene

SUMMARY :

Yurei, a newly emerged ransomware group, targeted a Sri Lankan food manufacturing company on September 5, 2025. The group employs a double-extortion model, encrypting files and exfiltrating sensitive data. Check Point Research discovered that Yurei's ransomware is based on the open-source Prince-Ransomware, with minor modifications. The ransomware, written in Go, contains a flaw allowing partial recovery through Shadow Copies. Since its first victim, Yurei has quickly expanded to three victims across Sri Lanka, India, and Nigeria. The investigation suggests the threat actor may originate from Morocco. Yurei's operation demonstrates how open-source malware lowers the entry barrier for cybercriminals, enabling less-skilled actors to launch ransomware attacks.

OPENCTI LABELS :

open-source,ransomware,go,double-extortion,morocco,satanlockv2,shadow copies,prince-ransomware,yurei


AI COMMENTARY :

1. Introduction to Yurei the New Ransomware Group Yurei the New Ransomware Group on the Scene first emerged on September 5, 2025, when it targeted a Sri Lankan food manufacturing company. Operating under a double-extortion model, Yurei combines file encryption with data exfiltration to pressure victims into paying ransoms for both decryption keys and the promise of deleting stolen data. This initial attack signaled the arrival of a new threat actor in the global ransomware landscape.

2. Technical Underpinnings and Open-Source Heritage Check Point Research has determined that Yurei’s malware is based on the open-source Prince-Ransomware codebase, with minor modifications that leverage the Go programming language. By reusing established frameworks and incorporating elements drawn from other projects such as SatanLock V2, Yurei’s developers have accelerated their ability to deploy sophisticated encryption tools without building them from scratch. The choice of Go further enhances portability across platforms.

3. Double-Extortion Strategy and Shadow Copies Flaw Yurei exemplifies modern double-extortion tactics by encrypting critical files and exfiltrating sensitive data before triggering the ransom demand. Researchers uncovered a flaw in Yurei’s Go implementation: the ransomware fails to fully remove Windows Shadow Copies, allowing partial data recovery through standard restoration procedures. This vulnerability provides defenders with an opportunity to recover portions of encrypted data without acceding to ransom demands.

4. Rapid Regional Expansion Since compromising its first victim in Sri Lanka, Yurei has swiftly expanded operations, claiming additional victims in India and Nigeria. Each new incident underscores the group’s growing ambition and willingness to target organizations across diverse industries and geographies. This rapid proliferation highlights the ease with which open-source ransomware variants can be adapted and deployed by less-skilled threat actors seeking quick financial gain.

5. Suspected Moroccan Origin and Attribution Investigation into network infrastructure and code similarities suggests that Yurei’s operators may be based in Morocco. Analysis of command-and-control servers, language artifacts, and time-zone patterns supports this attribution, although definitive proof remains elusive. The potential Moroccan link provides valuable context for law enforcement and security professionals tracking the group’s movements.

6. Implications for the Cybercrime Ecosystem Yurei’s emergence underscores how open-source ransomware families lower the barrier to entry for cybercriminals. By building on publicly available code, even inexperienced actors can launch effective attacks with minimal development overhead. The trend toward commoditized malware will likely continue, leading to an increase in low-sophistication groups capable of inflicting substantial damage through mass-scale campaigns.

7. Conclusion and Defensive Considerations The rise of Yurei highlights the importance of robust backup strategies, including regular testing of file restoration from Shadow Copies and offline repositories. Organizations should employ comprehensive threat-intelligence sharing, maintain up-to-date intrusion-detection systems, and implement network segmentation to limit lateral movement. By understanding Yurei’s open-source lineage, defender communities can anticipate future variants and bolster defenses against the next wave of double-extortion ransomware threats.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Yurei the New Ransomware Group on the Scene