Yurei the New Ransomware Group on the Scene
Essential information
- Published
- 12/09/2025 15:33
- Modified
- 15/09/2025 19:04
- Tags
- 2025-09-12 double-extortion go morocco open-source prince ransomware ransomware satanlockv2 shadow copies yurei
- Related entities
- 5 observables, 1 intrusion sets (apt), 8 techniques (mitre), 3 malware, 5 others
Description
Yurei, a newly emerged ransomware group, targeted a Sri Lankan food manufacturing company on September 5, 2025. The group employs a double-extortion model, encrypting files and exfiltrating sensitive data. Check Point Research discovered that Yurei's ransomware is based on the open-source Prince-Ransomware, with minor modifications. The ransomware, written in Go, contains a flaw allowing partial recovery through Shadow Copies. Since its first victim, Yurei has quickly expanded to three victims across Sri Lanka, India, and Nigeria. The investigation suggests the threat actor may originate from Morocco. Yurei's operation demonstrates how open-source malware lowers the entry barrier for cybercriminals, enabling less-skilled actors to launch ransomware attacks.