216.73.216.86

Analysis of Encryption Structure of Yurei Ransomware Go-based Builder

· Published 14/11/2025 12:16 · Modified 14/11/2025 12:46

Export JSON

Essential information

Published
14/11/2025 12:16
Modified
14/11/2025 12:46
Tags
2025-11-14 chacha20-poly1305 corporate networks darkweb encryption go-based ransomware secp256k1-ecies yurei
Related entities
1 observables, 1 intrusion sets (apt), 10 techniques (mitre), 1 malware, 6 others

Description

The group, first identified in September 2025, employs a typical operation model targeting . Their attacks have affected Sri Lanka and Nigeria, focusing on transportation, IT, marketing, and food industries. The , developed in Go, uses for file and for key protection. It excludes specific directories, extensions, and files from to maintain system functionality. The process generates a unique key and nonce for each file, ensuring only the threat actor can decrypt the data. The ransom note threatens data leaks and regulatory notifications if demands are not met within five days.

External references