More
- Awards
- Blogs
- BrandPosts
- Events
- Podcasts
- Videos
- Enterprise Buyer’s Guides
news
Ransomware upstart ‘The Gentlemen’ raises the stakes for OT‑heavy sectors
Sep 10, 2025 5 mins
news
Featured Chrome extension FreeVPN.One caught capturing and transmitting user data
Aug 22, 2025 4 mins
news
Singapore issues critical alert on Dire Wolf ransomware targeting global tech and manufacturing firms
Aug 19, 2025 4 mins
news
New ransomware ‘Charon’ uses DLL sideloading to breach critical infrastructure
Aug 13, 2025 4 mins
news
Project Ire: Microsoft’s autonomous AI agent that can reverse engineer malware
Aug 7, 2025 4 mins
news
CISA releases Thorium, an open-source, scalable platform for malware analysis
Aug 4, 2025 4 mins
news
Interlock ransomware threat expands across the US and Europe, hits healthcare and smart cities
Jul 23, 2025 4 mins
news
Trend Micro flags BERT: A rapidly growing ransomware threat
Jul 9, 2025 5 mins
The new group relies on data theft and encryption, but coding errors in its ransom note routine expose weaknesses that defenders can exploit.
Credit: A9 STUDIO – shutterstock.com
A new ransomware group called Yurei has surfaced, adopting a double-extortion model. The group encrypts the victim’s files, exfiltrates sensitive data, and demands a ransomware payment for decryption and refraining from publishing stolen data.
First identified on September 5 by Check Point Research, this ransomware group has already attacked three enterprises, a Sri Lankan-based Midcity Marketing food manufacturing company, and an enterprise each in India and Nigeria.
Check Point Research has indicated that the threat actor’s origins may be in Morocco.
When attacking an enterprise, the Yurei ransomware enumerates all drives, and for each drive in parallel, it encrypts files to add a .Yurei extension, the security firms said. For encryption, Yurei uses the ChaCha20 algorithm to generate a random key, a random nonce per file, and then encrypts both with ECIES using the attacker’s public key.
It then attempts to set a wallpaper. But as Yurei’s developer forgot to provide the URL for the wallpaper, it only displays a plain, solid color background (like black) instead of showing a ransom note. Once the encryption is complete, the malware enters a new routine that continuously monitors for newly attached network drives to then encrypt. Yurei then provides the victim with a .onion page for further communication and price negotiations, Check Point Research said in a report.
Open-source code fuels fast entry
Yurei is built almost entirely on open-source ransomware code known as Prince-Ransomware, written in Go but with a few modifications. The same was identified as the threat actor did not strip symbols from the binary, resulting in function and module names being preserved. This same ransomware codebase was already used in campaigns by other actors as well, such as CrazyHunter, identified by Check Point Research.
This only goes to show how easily and quickly threat actors can use open-source ransomware projects to enter the ransomware business without the necessary development skills or even investing much effort.
Open-source ransomware code lowers the barrier for new groups as it removes R&D from the equation. “Turnkey codebases, build scripts, and working ransom workflows let low-skill actors ship variants in days, not months. Minimal edits (branding, concurrency tweaks, C2 endpoints) create new groups that can immediately monetize data theft, shifting the competitive edge from engineering to targeting, social pressure, and negotiation playbooks,” said Amit Jaju, senior managing director – India at Ankura Consulting.
According to Devroop Dhar, co-founder and MD at Primus Partners, instead of needing a big development team, a small group can just make a few edits and go live. It is cheap, quick, and even a rough version can still make money as long as the data theft and leak threat work.
Bigger risks beyond downtime
The double-extortion ransomware appears to be an early version, as it has loopholes. Ransomware often targets and deletes shadow copies to block victims from using Windows’ built-in recovery options. But Yurei did not delete the shadow copies, which, if enabled, can allow the victim to restore their files to a previous snapshot without having to negotiate with Yurei.
However, when data is stolen, only backups do not solve the problem. “Even when a company restores its systems, the attackers still may threaten to publish what they stole. That brings in newer risks, like regulatory fines, lawsuits, reputational damage, and exposure of intellectual property. It is a bigger issue than just downtime because it stays for long after systems come back online,” Dhar said.
Defensive gaps don’t last long
Flaws like these usually do not last long. Threat actors can easily fix the gaps in the next version, and CISOs should be mindful of the fact that the next version will fix those gaps.
“Enterprises should cut initial access by hardening internet-facing services, enforce phishing-resistant multi-factor authentication everywhere, and block legacy authentication,” Jaju said. “Enterprises must deploy data loss prevention with egress controls, fine-tune UEBA (User and Entity Behavior Analytics) for bulk file access, and monitor cloud storage and MFTs (managed file transfers). To contain attacks, organizations should segment Active Directory and critical data zones, enforce just-in-time administration and privileged access management (PAM), and prepare incident communication and legal workflows.
Jaju added enterprises should plan for resilience with intelligence with immutable backups plus threat hunting for open-source indicators (Prince/Yurei build artifacts, PowerShell patterns, ChaCha20/ECIES markers) and subscribe to rapid intel on copycat forks. They should also cover supplier risk by mandating MFA, EDR, and logging for third parties with network or data access and pre-bake kill-switch controls in contracts.
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
Nidhi Singal is an independent journalist reporting on how emerging technologies reshape economies, companies, and countries. She has over 18 years’ experience covering everything from mobile telecommunications to enterprise technologies. She has also written for India Today, Business Today and Fortune India.
More from this author
`,
cio: `
🚀 The new CIO.com hybrid search: 🔍 Explore CIO content smarter, faster and AI powered. ✨
`,
nww: `
🚀 The new NetworkWorld.com hybrid search: 🔍 Explore NetworkWorld content smarter, faster and AI powered. ✨
`,
cw: `
🚀 The new Computerworld.com hybrid search: 🔍 Explore Computerworld content smarter, faster and AI powered. ✨
`,
cso: `
🚀 The new CSOonline.com hybrid search: 🔍 Explore CSO content smarter, faster and AI powered. ✨
`
};
const sharedStyles = `
`;
const publisher = foundry_get_publisher();
const htmlContent = contentSwitch[publisher];
if (!htmlContent || !document.body) return;
document.body.insertAdjacentHTML(“afterbegin”, htmlContent + sharedStyles);
const bar = document.querySelector(“.section-block–announcementbar”);
if (bar) {
requestAnimationFrame(() => {
bar.classList.add(“section-block–announcementbar–visible”);
});
}
const btn = document.querySelector(“.section-block–announcementbar .reset-button”);
const searchIcon = document.querySelector(‘.header__icon-button[data-menu-trigger=”search”] svg’);
const searchTrigger = document.querySelector(‘[data-menu-trigger=”search”]’);
if (searchIcon) {
searchIcon.innerHTML = ‘
‘;
}
if (btn && searchTrigger) {
btn.addEventListener(“click”, () => searchTrigger.click());
}
console.log(“[MISO SCRIPT] Conditions met, initializing Miso search announcements.”);
};
initMisoSearchAnnouncements();
});
document.addEventListener(‘consentManagerReady’, () => {
const hasConsentYouTube = consentManager.checkConsentByVendors([
‘YouTube’,
‘YT’
]);
if (hasConsentYouTube.some(vendor => vendor[‘Has Consent’] === false)) {
console.log(‘[YOUTUBE SCRIPT] Consent not given for YouTube.’);
} else {
console.log(‘[YOUTUBE SCRIPT] Consent given for YouTube. Loading script…’);
}
});
document.addEventListener(‘consentManagerReady’, () => {
const hasConsentGAM = consentManager.checkConsentByVendors([
‘Google Ad Manager’,
‘GAM’
]);
if (hasConsentGAM.some(vendor => vendor[‘Has Consent’] === false)) {
console.log(‘[GAM SCRIPT] Consent not given for GAM.’);
} else {
console.log(‘[GAM SCRIPT] Consent given for GAM. Loading script…’);
}
});
document.addEventListener(‘consentManagerReady’, () => {
const hasConsentGoogleFonts = consentManager.checkConsentByVendors([
‘Google Fonts’,
‘Google Web Fonts’
]);
if (hasConsentGoogleFonts.some(vendor => vendor[‘Has Consent’] === false)) {
console.log(‘[GOOGLE FONTS SCRIPT] Consent not given for Google Fonts.’);
} else {
console.log(‘[GOOGLE FONTS SCRIPT] Consent given for Google Fonts. Loading script…’);
}
});
document.addEventListener(‘consentManagerReady’, () => {
const hasConsentAdobeTypekit = consentManager.checkConsentByVendors([
‘Adobe Typekit’
]);
if (hasConsentAdobeTypekit.every(vendor => vendor[‘Has Consent’] === true)) {
if (foundry_is_edition(‘kr’)) {
const link = document.createElement(‘link’);
link.rel = ‘stylesheet’;
link.href = ‘https://use.typekit.net/ysx4dcu.css’;
document.head.appendChild(link);
}
}
});
document.addEventListener(‘consentManagerReady’, () => {
const vendors = [‘Subscribers’];
const hasConsentSubscribers = consentManager.checkConsentByVendors(vendors);
if (hasConsentSubscribers.some(vendor => vendor[‘Has Consent’] === false)) {
return;
} else {
if (foundry_is_language(‘en’)) {
console.log(‘Language is English’);
// subscribers english ..
}
if (foundry_is_edition(‘kr’)) {
console.log(‘Edition is Korean’);
// subscribers in korean ..
}
if (foundry_is_edition(‘ja’)) {
console.log(‘Edition is Japanese’);
// subscribers in japanese ..
}
}
});
