Analysis of Encryption Structure of Yurei Ransomware Go-based Builder
Essential information
- Published
- 14/11/2025 12:16
- Modified
- 14/11/2025 12:46
- Tags
- 2025-11-14 chacha20-poly1305 corporate networks darkweb encryption go-based ransomware secp256k1-ecies yurei
- Related entities
- 1 observables, 1 intrusion sets (apt), 10 techniques (mitre), 1 malware, 6 others
Description
The Yurei ransomware group, first identified in September 2025, employs a typical ransomware operation model targeting corporate networks. Their attacks have affected Sri Lanka and Nigeria, focusing on transportation, IT, marketing, and food industries. The ransomware, developed in Go, uses ChaCha20-Poly1305 for file encryption and secp256k1-ECIES for key protection. It excludes specific directories, extensions, and files from encryption to maintain system functionality. The encryption process generates a unique key and nonce for each file, ensuring only the threat actor can decrypt the data. The ransom note threatens data leaks and regulatory notifications if demands are not met within five days.