Full Report
Active since September 2025, Yurei is a double extortion ransomware campaign. The operators run their own Tor data leak site with a low number of victims listed at the time of writing. It is reportedly derived from Prince Ransomware, an open-source ransomware family written in Go. Check Point researchers noted that all samples were first submitted to VirusTotal from Morocco, and that one sample did not include a ticket ID, indicating that this could be a test build, possibly uploaded by the developer themselves. Yurei ransomware samples also contained a link to SatanLockv2, based on the presence of the PDB path string “D:\satanlockv2” present in the Yurei samples.
Analysis Summary
# Tool/Technique: Yurei Ransomware
## Overview
Yurei is a double-extortion ransomware campaign active since at least September 2025. It utilizes a dedicated Tor data leak site to pressure victims into paying ransoms. The malware is a variant of the open-source **Prince Ransomware** family and features "Stranger Things"-themed naming conventions (e.g., Vecna, StrangerThings) within its operator toolkit.
## Technical Details
- **Type:** Ransomware Family (Double Extortion)
- **Platform:** Windows
- **Capabilities:** File encryption, credential theft, lateral movement, security software disabling, and shadow copy deletion.
- **First Seen:** September 2025
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1078 - Valid Accounts] (Stolen credentials from infostealer logs)
- **[TA0007 - Discovery]**
- [T1046 - Network Service Discovery] (Using NetScan and NetExec)
- [T1083 - File and Directory Discovery] (Using Everything.exe)
- **[TA0006 - Credential Access]**
- [T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting] (Using Rubeus)
- [T1550.002 - Use Alternate Authentication Material: Pass the Hash] (Using Invoke-TheHash)
- **[TA0005 - Defense Evasion]**
- [T1562.001 - Impair Defenses: Disable or Modify Tools] (Disabling Windows Defender via scripts)
- **[TA0040 - Impact]**
- [T1486 - Data Encrypted for Impact] (Ransomware execution)
- [T1490 - Inhibit System Recovery] (Deletion of Volume Shadow Copies)
## Functionality
### Core Capabilities
- **Go-Based Encryption:** Derived from the open-source Prince Ransomware written in the Go programming language.
- **Double Extortion:** Exfiltrates data to a Tor-based leak site before encrypting the host files.
- **Inhibiting Recovery:** Uses `vssadmin` to delete shadow copies and modifies the Registry to disable System Restore.
### Advanced Features
- **Sophisticated Evasion:** Employs a custom script (`FixingIssues2.ps1`) that excludes the entire C:\ drive and core system processes from Windows Defender monitoring.
- **Lateral Movement Toolkit:** Integrates legitimate tools like AnyDesk for persistence and NetExec for internal reconnaissance.
## Indicators of Compromise
- **File Hashes (SHA256):**
- `4f88d3977a24fb160fc3ba69821287a197ae9b04493d705dc2fe939442ba6461` (StrangerThings.exe)
- `1facf7cdd94eed0a8a11b30f4237699385b20578339c68df01e542d772ccbce5` (Host_Discovery.ps1)
- `ebfe75ab3223b036a4b886d497f2b172425b3e63890d485c99353773d4c436ea` (FixingIssues2.ps1)
- `26f51df1a12230b6bb583f3003c102a79106b049f89d9b9d43c6e85e072bd99e` (Vecna.ps1)
- **File Names:**
- `StrangerThings.exe`
- `Vecna.ps1`
- `FixingIssues2.ps1`
- `nxc.exe`
- **Network Indicators:**
- `44[.]210.101.86` (C2/Open Directory)
- `44[.]223.40.182` (C2/Open Directory)
## Associated Threat Actors
- **Unknown (Uncategorized):** Currently linked to developers/operators potentially operating from **Morocco**, based on VirusTotal submission telemetry.
## Detection Methods
- **Signature-based:** Detection of the PDB path `D:\satanlockv2` and specific file hashes listed above.
- **Behavioral detection:**
- Monitoring for high-volume file rename/encryption activities.
- Alerting on the command line: `vssadmin delete shadows /all /quiet`.
- Detecting PowerShell scripts attempting to modify Windows Defender exclusion lists.
## Mitigation Strategies
- **Endpoint Hardening:** Implement Tamper Protection in Windows Defender to prevent scripts from disabling security features.
- **Credential Protection:** Enforce Multi-Factor Authentication (MFA) to mitigate the risk of stolen credentials identified in infostealer logs.
- **Access Control:** Restrict the use of remote desktop tools like AnyDesk and administrative tools like PsExec or NetExec to authorized personnel only.
- **Offline Backups:** Maintain immutable, off-site backups to recover from encryption without paying the ransom.
## Related Tools/Techniques
- **Prince Ransomware:** The open-source Go-based predecessor.
- **SatanLockv2:** A related ransomware family identified via shared PDB strings.
- **SoftPerfect NetScan / Rubeus / winPEAS:** Legitimate and "red team" tools utilized by the operator for post-exploitation.