Find notable cyber news and cases, enriched with sources, timelines, and signals.

Yurei ransomware double-extortion operation

Malware Activity
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

A new ransomware operation has emerged using a modified Prince-Ransomware binary to run double-extortion attacks, and it has already claimed multiple victims. The malware is written in Go, which helps it cross-compile and may make detection harder for some defenses. A flaw in the sample leaves Windows VSS shadow copies intact, giving some victims a path to partial recovery.

Related Happenings

Vect ransomware flawed ChaCha20 implementation destroys large files

Technical Analysis
H score4 First: 29.04.2026 13:45 Last: 29.04.2026 13:45 Sources 1

About this happening: **Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...

VECT 2.0 ransomware-branded file destruction malware

Malware Activity
H score4 First: 28.04.2026 17:01 Last: 28.04.2026 17:01 Sources 1

About this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...

Sicarii ransomware per-execution RSA key generation breaks decryption

Malware Activity
H score31 First: 28.01.2026 00:15 Last: 28.01.2026 00:15 Sources 1

About this happening: The **Sicarii ransomware** now stands out for a **broken decryption process** that generates a new **RSA key pair** on each execution and discards the private key, leaving victims...

Gentlemen ransomware operation using compromised credentials and exposed services

Malware Activity
H score18 First: 29.12.2025 16:26 Last: 29.12.2025 16:26 Sources 1

About this happening: **Gentlemen ransomware** is actively extorting victims by using **compromised credentials** and **Internet-exposed services** to enter networks. It encrypts files, drops **README-...

Ransomware-as-a-service ecosystem splinters into 85-group market in Q3 2025

Threat Actor Meta
H score40 First: 14.11.2025 12:37 Last: 14.11.2025 12:37 Sources 1

About this happening: **Q3 2025** marked a major **ransomware ecosystem** shift as **85 active groups** and **14 new brands** pushed the market toward fragmentation. The change raises risk because **fo...

Timeline

  1. 16.09.2025 11:53 1 articles · 9mo ago

    Yurei ransomware first observed with MidCity Marketing leak

    Initial Disclosure

    Yurei ransomware was first observed on Sept. 5, 2025 and targeted MidCity Marketing in Sri Lanka as its first known data-leak victim after an extortion attack exposed stolen company data.

    Show sources
  2. 16.09.2025 11:53 1 articles · 9mo ago

    Yurei ransomware expands to India and Nigeria victims

    Campaign Scope Update

    By Sept. 9, 2025, Yurei ransomware had added two more victims from India and Nigeria, showing that the early double-extortion campaign was spreading beyond the initial Sri Lanka case.

    Show sources
  3. 16.09.2025 11:53 2 articles · 9mo ago

    Yurei ransomware analysis exposes Prince-Ransomware base and VSS flaw

    Technical Analysis Update

    Check Point identified Yurei as a slightly modified Prince-Ransomware binary written in Go, noted that it does not delete Windows Volume Shadow Copy Service (VSS) shadow copies, and published indicators of compromise while advising organizations to keep VSS snapshots enabled for partial file recovery.

    Show sources