Yurei
Yurei is a ransomware family first observed in early September 2025. It is described as a new Go-based ransomware strain that encrypts victim data using a combination of algorithms, appends the .Yurei extension to encrypted files, and drops a ransom note named _README_Yurei.txt. The note identifies the operation as "Yurei" and indicates a double-extortion model, claiming the attackers compromised part or all of the victim company’s internal infrastructure, wiped accessible virtual and physical backups, and exfiltrated a large amount of corporate data before encryption. The note also offers test decryption, directs victims to negotiate via the Tor site fewcriet5rhoy66k6c4cyvb2pqrblxtx4mekj3s5l4jjt4t4kn4vheyd[.]onion, asks victims to disclose active cyber insurance, and claims operations can be restored within approximately 24 hours after payment.
Reported targeting is broad and appears focused on English-speaking victims globally. The malware targets common high-value file types including documents, databases, images, audio, video, disk images, and archives. Reported or suspected intrusion and delivery vectors include insecure RDP configurations, phishing or spam emails with malicious attachments, deceptive downloads, botnets, exploits, malicious advertising, web injects, fake updates, and trojanized or repacked installers. The associated malware filename is Yurei.exe, with likely file locations including the Desktop, user folders, and %TEMP%.
The referenced sample had low prevalence at the time of reporting and was not identified by ID Ransomware. Reported sample hashes are MD5 425d28263b9cea66a259a86f0fca620f, SHA-1 95cb337dbb1f77fa8fb1b823f62e6419e92625f8, SHA-256 49c720758b8a87e42829ffb38a0d7fe2a8c36dc3007abfabbea76155185d2902, and imphash d42595b695fc008ef2c56aabd8efd68e. Multiple vendors detected the sample as ransomware or generic file-encrypting malware, including DrWeb, BitDefender, ESET-NOD32, Kaspersky, Malwarebytes, Microsoft, Rising, Tencent, and Trend Micro. No email contact address or Bitcoin wallet address was listed in the available reporting.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
9 distinct techniques documented for this family, organized by ATT&CK tactic.
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Minimal-activity ransomware brand referenced as part of the long-tail of operators.
Yurei is a new ransomware strain written in Go, designed to encrypt files and demand payment for decryption.
Ransomware that encrypts user and corporate data, appends the .Yurei extension, drops a ransom note named _README_Yurei.txt, claims backup deletion and data exfiltration, and demands payment for decryption.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.