Analysis of Encryption Structure of Yurei Ransomware Go-based Builder

Nov. 14, 2025, 12:46 p.m.

Description

The Yurei ransomware group, first identified in September 2025, employs a typical ransomware operation model targeting corporate networks. Their attacks have affected Sri Lanka and Nigeria, focusing on transportation, IT, marketing, and food industries. The ransomware, developed in Go, uses ChaCha20-Poly1305 for file encryption and secp256k1-ECIES for key protection. It excludes specific directories, extensions, and files from encryption to maintain system functionality. The encryption process generates a unique key and nonce for each file, ensuring only the threat actor can decrypt the data. The ransom note threatens data leaks and regulatory notifications if demands are not met within five days.

External References

https://asec.ahnlab.com/en/90975/
https://otx.alienvault.com/pulse/69171d813a530356d4732351
Tags
ransomware
encryption
chacha20-poly1305
go-based
yurei
2025-11-14
darkweb
secp256k1-ecies
corporate networks

Date

  • Created: Nov. 14, 2025, 12:16 p.m.
  • Published: Nov. 14, 2025, 12:16 p.m.
  • Modified: Nov. 14, 2025, 12:46 p.m.

Indicators

  • 1ea37e077e6b2463b8440065d5110377e2b4b4283ce9849ac5efad6d664a8e9e
Download all indicators here!

Attack Patterns

  • Yurei
  • Yurei

Additional Informations

  • Food
  • Technology
  • Media
  • Transportation
  • Nigeria
  • Sri Lanka