Self Assessment

YUREI RANSOMWARE : THE DIGITAL GHOST

Published On : 2025-10-03
Share :
YUREI RANSOMWARE : THE DIGITAL GHOST

EXECUTIVE SUMMARY

At CYFIRMA, we are committed to delivering timely insights into emerging cyber threats and the evolving tactics of cybercriminals targeting individuals and organizations. This report provides a concise analysis of Yurei Ransomware, which is a sophisticated ransomware family designed to rapidly encrypt data, disable recovery options, and frustrate forensic investigation. It appends a “.Yurei” extension to encrypted files, deletes shadow copies and system backups, and erases event logs to block restoration and hinder response.

The malware spreads laterally via SMB shares, removable drives, and credential-based remote execution (PsExec/CIM). It uses per-file ChaCha20 encryption keys, each wrapped with the attacker’s embedded ECIES public key, making decryption without the operator’s cooperation infeasible.

INTRODUCTION

CYFIRMA has observed a new Ransomware, “Yurei Ransomware” developed in Go language, whose samples are available in various malware databases. This ransomware is designed to target Windows systems, utilizing advanced encryption methods and adding a unique file extension to encrypted files.

Target Technologies Windows
Encrypted Files Extension .Yurei
Ransom Note File _README_Yurei.txt
Programming Language Go

Yurei stages its payload from temporary directories, deploys polished ransom notes with Tor-based contact channels, and executes secure deletion routines to erase artifacts. Taken together, these features point to a professional, double-extortion-ready operation optimized for speed, stealth, and irreversible impact.

CAPABILITIES

  • Rapid Data Encryption: Encrypts all accessible local and network drives using per-file ChaCha20 keys.
  • File Renaming: Appends .Yurei extension to all encrypted files.
  • Per-File Encryption Keys: Uses unique ChaCha20 key/nonce pairs wrapped with the attacker’s embedded ECIES public key.
  • Backup & Recovery Destruction: Deletes Volume Shadow Copies and system backups; disables backup services.
  • Log and Event Wiping: Recursively removes Windows event logs and system logs, modifies file metadata to obscure timelines.
  • Payload Staging: Drops staged executables and PowerShell scripts in %LOCALAPPDATA%\Temp and drive root locations.
  • Credential-Based Lateral Movement: Uses PSCredential, CIM sessions, net use, and PsExec-style remote execution to propagate across networks.
  • Removable Media Propagation: Copies itself to USB drives and disguises as WindowsUpdate.exe.
  • Network Share Propagation: Copies payload to writable SMB shares as System32_Backup.exe.
  • Desktop Manipulation: Changes desktop wallpaper.
  • Ransom Note Deployment: Creates _README_Yurei.txt in every encrypted directory with Tor-based contact channels, Ticket ID, and negotiation instructions.
  • Double-Extortion Ready: Threatens data leak in addition to ransom demand; uses per-victim tracking via Tor chat and support tokens.
  • Anti-Forensics / Self-Cleaning: Implements selfDestruct, secureDelete, and wipeMemory routines to remove binary, traces, and in-memory sensitive data.
  • Memory & Console Cleanup: Clears console history, forces garbage collection, and overwrites memory with random data to hide sensitive artifacts.
  • Chunked File Encryption: Processes files in 2 MiB chunks to encrypt large files efficiently without loading entirely into memory.
  • Professional Build & Deployment: Polished, management-targeted ransom notes, stealthy propagation loops, and high operational speed.

STATIC ANALYSIS

ENTRY POINT

Execution begins with the main routine running a loop that, once triggered, calls the function EncryptAllDrivesAndNetwork, responsible for encrypting all accessible drives and network shares before changing the victim’s desktop wallpaper using a PowerShell wrapper for the Windows SystemParametersInfo API. Following this, the desktop background is changed by calling the setWallpaper() function.

BACKUP AND RECOVERY DISABLING

The disableBackups routine tries to turn off backup and recovery features, likely stopping backup services and deleting Volume Shadow Copies before calling getAllDrives to list all local and network drives for encryption.

POWERSHELL COMMAND EXECUTION FOR BACKUP AND LOG REMOVAL

The disableBackups() function removes recovery options by assembling PowerShell commands that invoke native Windows utilities to delete backups. Using PowerShell, it builds and executes commands such as vssadmin Delete Shadows /All /Quiet and wbadmin Delete Catalog -Quiet via os/exec.(*Cmd).Run, silently removing all Volume Shadow Copies and backup catalogs.

PAYLOAD STAGING AND DEPLOYMENT

Since Go strings are represented as offset–length pairs rather than null-terminated text, static analysis often misses references. Deeper inspection of recovered strings shows it assembling a PowerShell command designed to purge Windows event and system logs from %SystemRoot%\System32\winevt\Logs and %SYSTEMROOT%\Logs. It leverages Get-ChildItem -Recurse piped to Remove-Item -Force, combined with -ErrorAction SilentlyContinue to suppress errors and ensure deletion, modifying file metadata by setting CreationTime (effectively manipulating timestamps). Together, these actions remove log evidence and obscure forensic timelines, which is a pattern strongly aligned with ransomware anti-forensic behavior.

The PowerShell fragment copies a staged payload from a temp file to multiple target locations using Copy-Item -Force, notably writing to $drive\svchost.exe and $drive\WindowsUpdate.exe (masquerading as legitimate service binaries) and to a network share as System_Backup.exe, then removes the temp file.

MEMORY AND CONSOLE CLEANUP

Clear-Host wipes the console history, then the GC sequence forces immediate collection of unreferenced managed objects; the subsequent 1 MB random overwrite obliterates their residual heap data, ensuring forensic tools recover only high-entropy garbage instead of cleartext commands, credentials, or share paths.

SELF-DESTRUCT FUNCTION

The selfDestruct function is intended to fully erase the malware after it runs. It sequentially calls secureDelete, cleanTraces, and wipeMemory, which removes persistence and significantly hinders forensic recovery or post-incident investigation.

The secureDelete routine destroys the ransomware binary to prevent recovery. It performs three overwrite passes using a 1 MiB buffer filled with cryptographically strong random bytes from crypto/rand.Read, writing each pass with os.WriteFile to obliterate the file contents. After overwriting, it renames the executable twice using randomly generated names and temporary paths.

Finally, the malware deletes its on-disk executable, calls os.Remove to remove the file, and runs cleanFileMetadata to scrub timestamps, MFT entries, and other file attributes. This cleanup is an anti-forensics measure meant to eliminate persistence and make recovery and attribution more difficult.

SPREADING METHODS (STEALTHPROPAGATION)

stealthPropagation infects removable media, leverages open network shares, and launches remote execution via PsExec. An infinite loop keeps these propagation attempts running nonstop until the process is stopped.

SMB AND NETWORK SHARE PROPAGATION

The script lists SMB shares and iterates over each share path. For writable shares that don’t already have the file, it copies itself into the share and writes the payload as System32_Backup.exe.

REMOVABLE DRIVE PROPAGATION

The executable iterates all removable drives with valid letters, checks for WindowsUpdate.exe at each root, and if absent, copies its own executable there as WindowsUpdate.exe, disguising propagation via USB under a familiar system-like filename, and increases infection success more silently.

DESKTOP WALLPAPER MODIFICATION

The ransomware leverages a C# wrapper with P/Invoke to call user32.dll and execute SystemParametersInfo(20, 0, path, 3) to change the desktop wallpaper. Since the specified path refers only to a locally dropped file rather than an external source or URL, the outcome is a forced black desktop background, creating an immediate and highly visible effect.

PER-FILE ENCRYPTION MECHANISM (CHACHA20 + ECIES)

It creates a per-file ChaCha20 key and nonce, wraps the key with ECIES via go_ecies, then writes a custom header to the target file containing the wrapped key and nonce, followed by the 0x7c7c (“||”) separator. That marker cleanly delimits the wrapped-key/nonce blob from the ciphertext, so the wrapped key is trivial to find during decryption. Finally, the file body is encrypted with ChaCha20 and appended.

CHUNKED FILE ENCRYPTION

The loop processes files in 2 MiB chunks (0x200000 bytes each), feeding each block into ChaCha20’s XORKeyStream to apply the keystream, then writing the encrypted output back. This chunked approach enables streaming encryption of large files without ever loading them fully into memory.

REPLACES ORIGINAL FILE WITH ENCRYPTED VERSION.

After processing, the code closes any open handles, deletes the temporary file used during encryption, and then renames the temp file to the original filename. That sequence releases locks, removes artifacts, and atomically moves the encrypted file into place to reduce recovery chances and forensic evidence.

EMBEDDED PUBLIC KEY EXPOSURE

The attacker’s public key is baked into the executable at Go build time (stored in the binary’s build metadata). The payload uses that embedded public key to wrap each file’s symmetric key, so only whoever holds the matching private key can unwrap and decrypt the files.

RANSOM NOTE CREATION (_README_YUREI.TXT)

The loop creates a ransom note named _README_Yurei.txt, writes the ransom note into it, and places it alongside each encrypted file’s directory. This is the payload’s final step after encryption, ensuring that every affected directory contains the ransom instructions under a consistent filename.

DYNAMIC ANALYSIS

RANSOM NOTE CONTENT AND DOUBLE-EXTORTION

When executed in the controlled environment, the sample drops a file named _README_Yurei.txt and displays a professionally written ransom notice addressed to management. The note asserts a full compromise and data exfiltration, claims backups and shadow copies have been destroyed, advertises payment incentives (such as a 24-hour test decryption), provides negotiation instructions, and explicitly warns victims against attempting recovery or involving third parties. Its authoritative tone and double-extortion demands are intended to coerce rapid payment.

TOR-BASED COMMUNICATION AND VICTIM TRACKING

Ransom notes include a Tor .onion chat link (GUID path), a Ticket ID, a blog .onion, and a hex-like YureiSupp token. Those artifacts let the operators correlate victims by ticket and conduct talks over Tor, implying both ransom demands and a threat to leak stolen data.

TEMPORARY DIRECTORY STAGING (%LOCALAPPDATA%\TEMP)

Temp directory contents show multiple staged payloads and transient artifacts in %LOCALAPPDATA%\Temp, including several exe files. This indicates the ransomware stages copies of its binary in Temp, and creates temp containers for PowerShell scripts (*.ps1).

CREDENTIAL-BASED LATERAL EXECUTION (PSEXEC-STYLE)

The dropped script constructs a PSCredential object from the supplied username and password, opens a CIM session, and copies the local file’s raw bytes to the remote host. It then invokes a remote process whose command line writes the payload to disk and executes it. After execution, the script closes the CIM session. In effect, this implements credential-based lateral execution (PsExec-style).

FILE RENAMING WITH .YUREI EXTENSION

All encrypted files were renamed by appending the ransomware extension .Yurei to the original filename.

FILE HEADER STRUCTURE (CHACHA20 KEY + NONCE)

Each encrypted file starts with a header that contains an asymmetrically encrypted ChaCha20 key, immediately followed by the encrypted nonce. A fixed delimiter (0x7c7c, ASCII “||”) separates this header from the ciphertext. This layout gives each file a unique key/nonce pair while enabling the attacker’s decryptor to reliably parse and recover the values required for decryption.

ANTI-RECOVERY AND ANTI-FORENSICS OPERATIONS

During execution, the sample launches multiple PowerShell commands to delete shadow copies and backup catalogs (vssadmin Delete Shadows /All /Quiet, wbadmin Delete Catalog -Quiet) and recursively removes event and log files, demonstrating active anti-recovery and anti-forensics measures. Simultaneously, it stages and drops payloads to local Temp and root directories and attempts credential-based lateral movement using net use, CIM sessions, and PsExec-style remote execution, including repeated net use \\<ip>\IPC$ attempts with different credentials. This combination of backup destruction, log wiping, payload deployment, and network propagation reflects a coordinated kill-chain aimed at maximizing impact while hindering remediation and forensic investigation.

EXTERNAL THREAT LANDSCAPE MANAGEMENT

Yurei Ransomware was first identified on September 5, 2025, with its initial reported victim being a food manufacturing company in Sri Lanka.

While “Yūrei” (幽霊) is a Japanese word meaning “ghost” or “spirit,” this alone does not provide enough evidence to conclude that the developer of the Yurei ransomware is from Japan.

The first Yurei Ransomware sample was submitted to a malware database on September 7, 2025, originating from Morocco, and was later reuploaded from Germany and Turkey. However, these submissions alone do not confirm that the developer is based from these countries.

DEBUG / COMPILE-TIME METADATA EXPOSURE

The executable’s compile-time metadata reveals a Windows username (intellocker) on the C: drive and a path on D: (D:\satanlockv2), suggesting potential ties to other known ransomware groups. The presence of these embedded paths and usernames in the binary indicates a possible connection between the Yurei ransomware build and a SatanLockerV2 development environment.

YUREI RANSOMWARE CHAT BOX AND BLOG LINK

Blog Link (Currently not accessible):
http[://fewcriet5rhoy66k6c4cyvb2pqrblxtx4mekj3s5l4jjt4t4kn4vheyd[.onion

Chat Link (Currently not accessible):
http[://fewcriet5rhoy66k6c4cyvb2pqrblxtx4mekj3s5l4jjt4t4kn4vheyd[.onion/chat/777676f8-2313-425f-873a-65c4df8d5def/chat[.php

YUREI VS PRINCE RANSOMWARE – KEY SIMILARITIES AND OBSERVATIONS

Analysis of the Yurei ransomware reveals a possible significant degree of source code reuse from the open-source Prince-Ransomware project. The link is established through symbol retention, matching cryptographic schemes, structural similarities in file handling, and inherited behavioral quirks.

Key overlaps:

  • Symbols preserved: Yurei’s binary retains function and module names from Prince (e.g., PrinceCrypto.dll, InitPrinceKeys() ? InitYureiKeys()), indicating code lineage.
  • Encryption: Uses the same ChaCha20 + ECIES scheme; session keys are ECIES-wrapped and file data encrypted with ChaCha20, mirroring Prince’s method.
  • File structure & extension: Appends .Yurei to encrypted files, storing NONCE || ENCRYPTED_KEY || CIPHERTEXT in the same header layout as Prince.
  • Drive enumeration & recursion: Recursively enumerates all drives, including UNC network shares, skipping blacklists, same traversal logic as Prince.
  • Concurrency modification: Implements Go goroutines for parallel encryption across drives, unlike Prince’s single-threaded approach.
  • Inherited flaws: Does not delete Volume Shadow Copies (VSS), leaving recovery points intact — a flaw carried over from Prince.
  • Wallpaper / ransom note logic: Attempts to set a desktop background via PowerShell, but with a missing URL, defaults to a solid color, replicating Prince’s misconfiguration issue.

CONCLUSION

Yurei Ransomware is a highly sophisticated malware family leveraging advanced encryption (ChaCha20 + ECIES), per-file keys, and professionalized ransom notes. Its propagation methods, including SMB shares, removable drives, and credential-based execution, enable rapid lateral spread across networks. Anti-forensics routines such as log wiping, secure deletion, and memory cleansing hinder recovery and forensic analysis. The ransomware’s double-extortion capabilities increase pressure on victims, threatening data leaks in addition to ransom demands. Analysis indicates possible code reuse from the Prince ransomware, with minor modifications and inherited flaws. Overall, Yurei represents a professional, high-impact threat designed for stealth, speed, and irreversible data compromise.

INDICATORS OF COMPROMISE

Indicator Type Remarks
1263280c916464c2aa755a81b0f947e769c8a735a74a172157257fca340e1cf4 Sha256 3dec9093b6da575c8700a9eb.ps1
4f88d3977a24fb160fc3ba69821287a197ae9b04493d705dc2fe939442ba6461 Sha256 YureiRansomware.exe
hXXp[:]//fewcriet5rhoy66k6c4cyvb2pqrblxtx4mekj3s5l4jjt4t4kn4vheyd[.]onion URL BLOG LINK
hXXp[:]//fewcriet5rhoy66k6c4cyvb2pqrblxtx4mekj3s5l4jjt4t4kn4vheyd[.]onion/chat/777676f8-2313-425f-873a-65c4df8d5def/chat[.]php URL CHAT LINK

MITRE ATTACK FRAMEWORK

Tactic Technique ID Technique
Execution T1047 Windows Management Instrumentation
Execution T1059 Command and Scripting Interpreter
Execution T1106 Native API
Execution T1129 Shared Modules / Get kernel32 base address / PEB access
Persistence T1543 Create or Modify System Process
Persistence T1543.003 Windows Service
Defense Evasion T1006 Direct Volume Access (searches for available drives)
Defense Evasion T1027 Obfuscated Files or Information (packing, encryption/encoding)
Defense Evasion T1027.002 Software Packing
Defense Evasion T1036 Masquerading (creates files in user directories)
Defense Evasion T1045 Software Packing (local sandbox packer harvesting — unknown)
Defense Evasion T1064 Scripting (use of PowerShell utilities)
Defense Evasion T1070 Indicator Removal (clears Windows events/logs)
Defense Evasion T1070.004 File Deletion (deletes shadow copies / vssadmin, wbadmin)
Defense Evasion T1070.006 Timestomp (yara indicators triggered)
Defense Evasion T1140 Deobfuscate/Decode Files or Information (AES via x86 extensions)
Defense Evasion T1202 Indirect Command Execution (uses suspicious Windows utilities)
Defense Evasion T1562 Impair Defenses (attempts to stop active services)
Defense Evasion T1562.001 Disable or Modify Tools (attempts to stop active services)
Defense Evasion T1564 Hide Artifacts (uses ADS / alternate data streams)
Defense Evasion T1564.003 Hidden Window (creates process with hidden window)
Defense Evasion T1564.004 NTFS File Attributes (interacts with ADS)
Credential Access T1003 OS Credential Dumping
Credential Access T1552 Unsecured Credentials (harvests mail client data)
Credential Access T1552.001 Credentials in Files (Outlook .pst exfiltration)
Discovery T1012 Query Registry (MachineGuid, fingerprinting)
Discovery T1016 System Network Configuration Discovery (reads network adapter info)
Discovery T1057 Process Discovery (queries list of running processes)
Discovery T1082 System Information Discovery (memory, volume info)
Discovery T1497 Virtualization/Sandbox Evasion (process count anomaly)
Collection T1005 Data from Local System (harvests Outlook .pst)
Collection T1074 Data Staged (manipulates recycle bin / staging)
Collection T1114 Email Collection
Command & Control T1071 Application Layer Protocol (suspicious network indicators)
Command & Control T1090 Proxy (Tor onion address observed)
Impact T1485 Data Destruction (clears Windows events/logs; anomalous deletions)
Impact T1486 Data Encrypted for Impact (modifies/renames user files; .yurei extension)
Impact T1489 Service Stop (attempts to stop active services)
Impact T1490 Inhibit System Recovery (deletes volume shadow copies / disables backups)

YARA RULES

import “hash”
rule YUREI_RANSOMWARE
{
meta:
author = “Cyfirma Research Team”
description = “Detects Yurei ransomware samples using SHA256 hashes or associated strings/IOCs”
date = “2025-09-26”

strings:
$exe_name = “YureiRansomware.exe” nocase
$ps1_fragment = “3dec9093b6da575c8700a9eb.ps1” ascii nocase
$onion_domain = /\bfewcriet5rhoy66k6c4cyvb2pqrblxtx4mekj3s5l4jjt4t4kn4vheyd\.onion\b/i
$onion_chat = /\bfewcriet5rhoy66k6c4cyvb2pqrblxtx4mekj3s5l4jjt4t4kn4vheyd\.onion\/chat\/[0-9a-fA-F-]{8,48}\/chat\.php\b/i
$nonce_like = “ENCRYPTED_KEY || NONCE || CIPHERTEXT” ascii nocase

condition:
// Hash-based detection (high confidence)
hash.sha256(0, filesize) == “1263280c916464c2aa755a81b0f947e769c8a735a74a172157257fca340e1cf4” or
hash.sha256(0, filesize) == “4f88d3977a24fb160fc3ba69821287a197ae9b04493d705dc2fe939442ba6461” or

// String / IOC-based detection (broader coverage)
any of ($exe_name, $ps1_fragment, $onion_domain, $onion_chat, $nonce_like)
}

RECOMMENDATIONS

Strategic

  • Adopt a ransomware resilience program (board-level): Formalize incident response, tabletop exercises, and decision frameworks for pay vs. non-pay scenarios to reduce time-to-decision and financial exposure.
  • Invest in segmented, air-gapped backups with tested restore drills: enforce immutable/air-gapped backups and run quarterly restore tests.

Tactical

  • Harden identity & access (MFA + least privilege): Require MFA for remote admin access, remove local admin rights where possible, and enforce MFA on service accounts and RDP/CIM/PSExec access.
  • Network segmentation & SMB hardening: Segment production networks, restrict SMB to known subnets, disable anonymous/share access, and monitor for unusual SMB write activity.

Operational

  • Endpoint detection & rapid containment playbooks: Deploy EDR with behavioral detection for rapid isolation (kill-process, network cut, quarantine) and pre-approved containment runbooks.
  • Backup verification & incident escalation triggers: Implement automated backup integrity checks and define clear escalation thresholds (e.g., >X encrypted hosts ? activate IR team).

Technical

  • Detect & block Yurei indicators + behavior: Deploy YARA (use combined hash+IOC rule previously created), EDR rules to flag ChaCha20/ECIES usage patterns, file header markers (0x7c7c / ||), and suspicious PowerShell commands (vssadmin/wbadmin/Get-ChildItem | Remove-Item). Rationale: Enables both high-confidence (hash) and broader behavioral detection to catch variants.
  • Hunt & remediate lateral movement artefacts: Proactively search logs for PSCredential / CIM / net use \\*\IPC$ attempts, unexpected service creations, EDR alerts for creation of files with extension .yurei, and new files named WindowsUpdate.exe / System32_Backup.exe (including on removable or network shares); remove exposed credentials and rotate affected secrets.