A new threat has emerged in the ransomware landscape with the discovery of Yurei ransomware, first publicly identified in early September 2025. This Go-based malware follows a classic ransomware model but introduces advanced encryption techniques that make recovery nearly impossible without paying the ransom.
How Yurei Operates
Yurei infiltrates corporate networks, encrypts critical files, deletes backups, and demands ransom for stolen data. The group runs a dedicated dark web leak site (DLS) where they negotiate payment terms based on the financial status of each victim.
Key facts about Yurei’s operations:
- Targets include organizations in Sri Lanka and Nigeria.
- Primary industries affected:
- Transportation & Logistics
- IT Software
- Marketing & Advertising
- Food & Beverage
- No evidence of ties to Ransomware-as-a-Service (RaaS) or collaboration with other cybercrime groups.
- Ransom amounts are calculated case-by-case after reviewing the victim’s financial position.
Encryption Mechanism: Why Yurei Stands Out
ASEC security researchers revealed that Yurei ransomware uses a dual-layer encryption design:
- ChaCha20-Poly1305 Algorithm:
- Encrypts files in 64 KB blocks.
- Generates a 32-byte key and 24-byte nonce as random values.
- Stores encrypted key and nonce at the start of each file using the “||” delimiter.
- secp256k1-ECIES Method:
- Protects encryption keys using Elliptic Curve Diffie-Hellman (ECDH).
- Creates a shared secret, transformed via a key derivation function into an AES-GCM key.
- Ensures only the attacker with the private key can decrypt files.
This layered approach makes unauthorized decryption virtually impossible.
File Targeting Strategy
Yurei scans the infected system for all drives and potential encryption targets but avoids critical system directories like:
WindowsSystem32Program Files
It also skips files with extensions such as .sys, .exe, .dll, and .Yurei (its own encrypted marker) to prevent re-encryption and system crashes.
Ransom Note and Threats
The ransom note, saved as _README_Yurei.txt, warns victims:
- Respond within five days or risk deletion of the decryption key.
- Stolen data—including databases, financial records, and personal information—will be leaked on the dark web if payment is not made.
Why Yurei Is Dangerous
- Advanced encryption makes brute-force recovery impossible.
- Custom ransom negotiation increases pressure on victims.
- Targeted industries suggest a strategic approach to maximize payouts.
Key Takeaways
- Yurei ransomware uses ChaCha20-Poly1305 and secp256k1-ECIES for encryption.
- It excludes system-critical files to keep systems operational while locking data.
- Victims face both data loss and public exposure if they fail to pay.
Conclusion
Yurei ransomware represents a new wave of highly sophisticated attacks. Organizations must:
- Implement robust backup strategies.
- Deploy advanced endpoint detection.
- Train employees on ransomware prevention.
Don’t wait until it’s too late—review your security posture now.
