Discovery Enum
- Everything.exe
- SoftPerfect NetScan
Yurei is a ransomware family first observed in early September 2025.
Profile source: Mallory opens in a new tabYurei
Yurei is a ransomware family first observed in early September 2025. It is described as a new Go-based ransomware strain that encrypts victim data using a combination of algorithms, appends the .Yurei extension to encrypted files, and drops a ransom note named _README_Yurei.txt. The note identifies the operation as "Yurei" and indicates a double-extortion model, claiming the attackers compromised part or all of the victim company’s internal infrastructure, wiped accessible virtual and physical backups, and exfiltrated a large amount of corporate data before encryption. The note also offers test decryption, directs victims to negotiate via the Tor site fewcriet5rhoy66k6c4cyvb2pqrblxtx4mekj3s5l4jjt4t4kn4vheyd[.]onion, asks victims to disclose active cyber insurance, and claims operations can be restored within approximately 24 hours after payment.
Reported targeting is broad and appears focused on English-speaking victims globally. The malware targets common high-value file types including documents, databases, images, audio, video, disk images, and archives. Reported or suspected intrusion and delivery vectors include insecure RDP configurations, phishing or spam emails with malicious attachments, deceptive downloads, botnets, exploits, malicious advertising, web injects, fake updates, and trojanized or repacked installers. The associated malware filename is Yurei.exe, with likely file locations including the Desktop, user folders, and %TEMP%.
The referenced sample had low prevalence at the time of reporting and was not identified by ID Ransomware. Reported sample hashes are MD5 425d28263b9cea66a259a86f0fca620f, SHA-1 95cb337dbb1f77fa8fb1b823f62e6419e92625f8, SHA-256 49c720758b8a87e42829ffb38a0d7fe2a8c36dc3007abfabbea76155185d2902, and imphash d42595b695fc008ef2c56aabd8efd68e. Multiple vendors detected the sample as ransomware or generic file-encrypting malware, including DrWeb, BitDefender, ESET-NOD32, Kaspersky, Malwarebytes, Microsoft, Rising, Tencent, and Trend Micro. No email contact address or Bitcoin wallet address was listed in the available reporting.
Ransomware.live
MITRE ATT&CK
Reporting
“Minimal-activity Groups… such as … Yurei each registered one incident.”
Yurei ransomware: AhnLab has published a technical analysis of Yurei, a new Go-based ransomware strain.
Yurei Ransomware ... Этот крипто-вымогатель шифрует данные пользователей с помощью комбинации алгоритмов ... Активность этого крипто-вымогателя была в начале сентября 2025 г.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.