Yurei Ransomware Uses PowerShell to Deploy ChaCha20 File Encryption

A newly discovered ransomware group called Yurei has emerged with sophisticated encryption capabilities, targeting organizations through double-extortion tactics while leveraging open-source code to rapidly scale operations.

First observed on September 5, 2025, this Go-based ransomware employs the ChaCha20 encryption algorithm and PowerShell commands to compromise victim systems, marking another evolution in the ransomware-as-a-service ecosystem.

Flow diagram illustrating the stages of a double extortion ransomware attack from initial vector preparation to data exfiltration and ransomware encryption 

Check Point Research (CPR) identified Yurei as a fast-growing ransomware operation that has already expanded from one victim to three within its first few days of operation.

The group’s initial target was a Sri Lankan food manufacturing company, followed by victims in India and Nigeria, demonstrating their aggressive expansion strategy across multiple geographic regions.

The ransomware group operates under a double-extortion model, combining file encryption with data exfiltration to maximize pressure on victims.

This approach encrypts the victim’s files while simultaneously stealing sensitive information, then demands ransom payments both for decryption keys and to prevent the public release of stolen data.

As Yurei explicitly states on their darknet blog, “the fear and implications of data leakage are their main pressure point to get victims to pay the ransom.”

Screenshot showing the Go programming environment and terminal with an overlay highlighting malware development in Go programming language 

Yurei Ransomware

Investigation by CPR revealed that Yurei’s ransomware is derived from Prince-Ransomware, an open-source ransomware family available on GitHub with only minor modifications.

This discovery highlights a concerning trend where cybercriminals leverage readily available malware code to launch operations without requiring extensive development skills.

The ransomware is written in the Go programming language, which presents detection challenges for some antivirus vendors while offering easier development and cross-platform compilation capabilities.

Notably, the threat actors made a critical mistake by not stripping symbols from the binary, allowing researchers to identify function and module names that clearly indicate the Prince-Ransomware codebase.

Common malware techniques exploiting PowerShell and Windows environment vulnerabilities 

The malware follows a systematic approach to encryption:

• Enumerates all available drives on the infected system.
• Encrypts files in parallel across multiple drives.
• Appends the .Yurei extension to encrypted files.
• Attempts to set a custom wallpaper.
• Continuously monitors for newly attached network drives.

Yurei employs the ChaCha20 algorithm for file encryption, generating unique random keys and nonces for each file. The ransomware encrypts both the ChaCha20 key and nonce using ECIES (Elliptic Curve Integrated Encryption Scheme) with the attacker’s public key.

Encrypted files store the encrypted key, nonce, and file content separated by “||” characters, creating a structured format for later decryption.

Block diagram showing the ChaCha20-Poly1305 symmetric encryption process with parallel ChaCha20 cores and Poly1305 for authentication 

PowerShell Command Vulnerabilities

The ransomware incorporates PowerShell commands inherited directly from the Prince-Ransomware codebase without modification.

These commands are designed to download and set a custom wallpaper, but the Yurei developers failed to provide a valid URL for the wallpaper download.

This oversight causes the PowerShell command to error out, resulting in Windows defaulting to a solid color background rather than displaying a ransom message wallpaper.

This technical flaw, combined with the preservation of debugging symbols in the binary, demonstrates the relatively low skill level of the operators behind Yurei.

The threat actors appear to have used the Prince-Ransomware builder without understanding or modifying its core functionality.

Despite its encryption capabilities, Yurei contains a significant vulnerability that may allow partial file recovery.

The ransomware fails to delete Volume Shadow Copies (VSS), Windows’ built-in backup snapshots that enable system recovery to previous states.

This oversight means organizations with VSS enabled can potentially restore files to previous snapshots without paying the ransom.

However, this recovery method only addresses the encryption aspect of the attack and does not protect against data exfiltration.

Since Yurei operates under a double-extortion model, victims remain vulnerable to having their stolen data published even if they successfully recover encrypted files through shadow copies.

Analysis of submission patterns and code artifacts suggests the threat actors may be based in Morocco.

All ransomware samples were first submitted to VirusTotal from Moroccan IP addresses, with one sample lacking a ticket ID, potentially indicating a test build uploaded by the developers themselves.

Additional evidence includes Arabic comments found in the HTML source code of Yurei’s .onion negotiation page and path artifacts referencing “satanlockv2,” suggesting possible connections to the SatanLockv2 ransomware family, which also originated from Morocco and utilized the Prince-Ransomware codebase.

As a result, we assess with low confidence that the threat actor is based in Morocco.

Implications for Cybersecurity Defense

The emergence of Yurei demonstrates how open-source malware significantly lowers barriers to entry for cybercriminals, enabling less-skilled threat actors to launch sophisticated ransomware operations.

This trend poses challenges for defenders as it accelerates the proliferation of ransomware variants while making attribution more difficult.

Organizations should implement comprehensive backup strategies including VSS activation, maintain updated security controls, and prepare incident response procedures specifically designed for double-extortion scenarios.

The shift toward data-theft-based extortion means traditional backup and recovery strategies alone are insufficient protection against modern ransomware threats.

The rapid growth from one to three victims within days indicates Yurei’s operators are actively seeking to expand their operations, making it essential for security teams to monitor for indicators of compromise associated with this emerging threat.

Indicators of Compromise

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!