- New Group, Fast Growth: Yurei ransomware first appeared on September 5, already listing three victims in Sri Lanka, India, and Nigeria within its first week.
- Copy-Paste Malware: The ransomware is largely based on the open-source Prince-Ransomware project, showing how attackers with limited skills can quickly launch operations.
- Data Leaks Over Encryption: Despite flaws that allow partial recovery, Yurei’s main weapon is data theft and exposure, which they use to pressure victims into paying.
- Global Threat, Emerging Origins: Early evidence suggests links to Morocco, reflecting how ransomware is no longer confined to traditional regions, it can emerge anywhere and spread fast.
A new ransomware group calling itself Yurei has appeared on the cyber crime scene, and it wasted no time in making headlines. First observed on September 5 by Check Point Research, the group listed its first victim, a food manufacturing company in Sri Lanka, on its darknet site. Within just a few days, two more victims, one in India and one in Nigeria, were added.
Yurei’s quick rise illustrates a growing challenge: how easily cyber criminals can turn open-source malware into real-world ransomware operations, even with limited skills and effort.
Who is Yurei?
The name “Yurei” comes from Japanese folklore, referring to restless spirits. But in cyberspace, the group’s presence is anything but ghostly. Like other ransomware gangs, Yurei operates a darknet blog, an online platform where they “name and shame” victims, leak proof-of-compromise documents, and host a chat system for ransom negotiations.
Their business model is straightforward but devastating:
- Encrypt files on a victim’s network.
- Steal sensitive data.
- Demand ransom payments in exchange for decryption and withholding leaks.
In their own words, Yurei puts more weight on the fear of exposure than on encryption itself. Leaking stolen data is the primary pressure tactic to force victims into paying.
Yurei ransomware site on September 5.
A Copy-Paste Beginning
The Yurei ransomware is written in Go, a programming language favored by attackers for its cross-platform flexibility. But Yurei’s codebase isn’t original. Check Point Research’s analysis revealed that it is derived, with only minor changes, from Prince-Ransomware, an open-source ransomware project freely available on GitHub.
This is a textbook case of how open-source malware lowers the barrier to entry. Instead of writing ransomware from scratch, Yurei’s operators simply reused an existing codebase, making only small modifications. That shortcut allowed them to launch an international campaign in days, not months.
In fact, Yurei’s developers even left clues behind. They forgot to strip symbols from the ransomware binary, making it easier for researchers to see the inner workings and trace its roots back to Prince-Ransomware.
A Flawed but Dangerous Tool
Yurei’s ransomware isn’t perfect. The malware contains a weakness: on some systems, Windows Shadow Copies may allow victims to partially recover data. This mistake shows the risks of relying on recycled code along with the attackers’ limited technical expertise.
But the flaw doesn’t blunt Yurei’s impact. Because the group’s primary extortion method relies on data theft and exposure, even partial file recovery does little to reduce their leverage over victims. In the end, the threat of confidential information being published is often more damaging than encrypted files alone.
Early Signs of Expansion
From its first sighting on September 5 to three confirmed victims by September 9, Yurei is showing signs of ambition. The speed of these attacks suggests the group may be testing its tools, refining its extortion tactics, and actively recruiting affiliates or partners.
While attribution in cyber crime is never straightforward, CPR’s investigation uncovered hints pointing to Morocco as a possible origin for the group. This detail, though unconfirmed, underlines how ransomware is no longer limited to a handful of highly skilled operators in specific regions, it can emerge anywhere, from anyone with internet access and enough determination.
Why Yurei Matters
Yurei isn’t the biggest ransomware group. It isn’t the most sophisticated either. But its emergence is important for three reasons:
- Lower Barriers, More Criminals
Open-source ransomware projects like Prince-Ransomware make it possible for even inexperienced attackers to launch operations. Yurei demonstrates how quickly this can turn into real-world impact. - Data Theft First, Encryption Second
Modern ransomware groups are shifting toward data extortion as the main weapon. Encryption flaws don’t matter much when stolen information can be leaked to damage reputations and operations. - Global Reach from Day One
With victims already in three different countries, Yurei proves that geography is no barrier. Small or large, local or global, organizations everywhere are potential targets.
Staying Protected
The rise of Yurei reminds us that ransomware doesn’t need to be cutting-edge to be effective. Businesses of all sizes must take steps to defend against data theft and encryption threats.
What Security Leaders Can Do Now
Staying ahead of ransomware in 2025 requires more than patching and perimeter defense. Based on our intelligence, we recommend:
- Adopt a connected security architecture that integrates endpoint, network, and identity protection, especially across hybrid and multi-cloud environments.
- Deploy anti-phishing at scale, including user awareness, email scanning, and behavioral analytics that can detect AI-generated lures.
- Use deception and threat hunting to expose affiliate activity and lateral movement early in the attack chain.
- Segment your backups and test recovery regularly. Don’t assume immunity based on policy or past success.