Emerging in early September 2025, the Yurei ransomware has swiftly drawn attention for its novel combination of Go-based execution and ChaCha20 encryption.<\/p>\n
First documented on September 5 when a Sri Lankan food manufacturer fell victim, the threat actor behind Yurei adopted a double-extortion model: encrypting files while exfiltrating sensitive data<\/a> for additional leverage.<\/p>\n Within days, two more victims in India and Nigeria were publicly listed, underscoring the operator\u2019s rapid expansion.<\/p>\n Unlike many sophisticated groups that develop custom toolsets, Yurei\u2019s codebase traces back to the open-source Prince-Ransomware project, raising questions about the skill level and resources of the attackers.<\/p>\n At its core, Yurei leverages Go\u2019s concurrency features to enumerate all drives in parallel and encrypt files with the ChaCha20 algorithm.<\/p>\n For each file, a new random ChaCha20 key and nonce are generated, then encrypted using ECIES with the attacker\u2019s public key.<\/p>\n The resulting ciphertext, key, and nonce are concatenated with delimiters:-<\/p>\n Check Point researchers noted<\/a> that Yurei retains symbols in the binary, a mistake inherited from the Prince-Ransomware builder, which did not strip debugging information.<\/p>\n This oversight provided analysts with clear function names such as Despite this, Yurei\u2019s use of Go complicates detection for some legacy antivirus products, illustrating how language choice can impact defensive measures<\/a>.<\/p>\n Following successful encryption, Yurei attempts to set a custom wallpaper via PowerShell<\/a>, though the absence of a valid URL causes the command to fail, resulting in a blank background.<\/p>\n The embedded PowerShell snippet mirrors that of its Prince-Ransomware predecessor:-<\/p>\n In the context of defensive strategies, Yurei\u2019s failure to remove Volume Shadow Copies reveals a critical weakness.<\/p>\n Organizations with VSS enabled can recover files without paying ransom, although leaked data remains at risk.<\/p>\n The combination of rapid encryption, data exfiltration<\/a>, and half-baked persistence techniques reflects a low-effort but effective operation.<\/p>\n As Yurei continues targeting diverse sectors, security teams are urged to monitor for the distinct file extension The post New Yurei Ransomware With PowerShell Commands Encrypts Files With ChaCha20 Algorithm<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n\/\/ Generate random key and nonce\nkey := generateChaCha20Key()\nnonce := generateNonce()\n\/\/ Encrypt file content\nencryptedData := chaCha20Encrypt(content, key, nonce)\n\/\/ Protect key and nonce with ECIES\nprotectedKey := eciesEncrypt(key, publicKey)\nprotectedNonce := eciesEncrypt(nonce, publicKey)\n\/\/ Store encrypted file\nstore := protectedKey + \"||\" + protectedNonce + \"||\" + encryptedData<\/code><\/pre>\nYurei_encryption_generateKey<\/code> and Yurei_filewalker_EncryptAllDrivesAndNetwork<\/code>, streamlining the reverse-engineering process.<\/p>\nShadow Copy Recovery and Defensive Implications<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjeInJJEKhex4oaK_obvFeIwl_1uZTEaECxWBh9Oj1q2w7_IYClZu-H086Rguc3ZBg327S2RNlsmqApXpzNcQcKes0wEV89DkdFvfaUEbKAMQ0hG8hx2qppn7sthTnFKao-zJpfYfjt-pnWH0jZdd1UHUQFt1CFgoBTad28plCtdxO144C8K36lW5pU01Q\/s16000\/Yurei%2520ransomware%2520site%2520on%2520September%25205%2520%28Source%2520-%2520Check%2520Point%29.webp?ssl=1\")
(New-Object System.Net.WebClient).DownloadFile('<WallpaperURL>', \"$env:TEMPWallpaper.png\")\nAdd-Type -TypeDefinition @\"\nusing System;\nusing System.Runtime.InteropServices;\npublic class Wallpaper {\n [DllImport(\"user32.dll\", CharSet=CharSet.Auto)]\n public static extern bool SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni);\n}\n\"@\n[Wallpaper]::SystemParametersInfo(20, 0, \"$env:TEMPWallpaper.png\", 3)<\/code><\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiR32UaMG8Yc82HV0VlIw5IMTs8RWE9OrAHwWes95VJc77dwjwIw1CjQs-Yst1hzpDLkBs6VzMBFHJfJ13njhJ5IQCnf_WTeDoOl5Z7ulJUjGy0N_xkCJIEYT3jrw68P7e2qU_Y007CEX0gvCfuoZTvDVfnIWnZECLCQqgzTk2cBggw3SPFdEp4vJOaM4Q\/s16000\/Ransom%2520note%2520%28Source%2520-%2520Check%2520Point%29.webp?ssl=1\")
.Yurei<\/code>, enforce strict egress controls, and validate VSS snapshots to mitigate the impact of this emerging threat.<\/p>\nBoost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n