When attacking an enterprise, the Yurei ransomware enumerates all drives, and for each drive in parallel, it encrypts files to add a .Yurei extension, the security firms said. For encryption, Yurei uses the ChaCha20 algorithm to generate a random key, a random nonce per file, and then encrypts both with ECIES using the attacker’s public key.
It then attempts to set a wallpaper. But as Yurei’s developer forgot to provide the URL for the wallpaper, it only displays a plain, solid color background (like black) instead of showing a ransom note. Once the encryption is complete, the malware enters a new routine that continuously monitors for newly attached network drives to then encrypt. Yurei then provides the victim with a .onion page for further communication and price negotiations, Check Point Research said in a report.
Open-source code fuels fast entry
Yurei is built almost entirely on open-source ransomware code known as Prince-Ransomware, written in Go but with a few modifications. The same was identified as the threat actor did not strip symbols from the binary, resulting in function and module names being preserved. This same ransomware codebase was already used in campaigns by other actors as well, such as CrazyHunter, identified by Check Point Research.
