Yurei ransomware double-extortion operation
Malware Activity
Summary
Hide ▲
Show ▼
A new ransomware operation has emerged using a modified Prince-Ransomware binary to run double-extortion attacks, and it has already claimed multiple victims. The malware is written in Go, which helps it cross-compile and may make detection harder for some defenses. A flaw in the sample leaves Windows VSS shadow copies intact, giving some victims a path to partial recovery.
Related Happenings
Vect ransomware flawed ChaCha20 implementation destroys large files
Technical Analysis
H score4
First: 29.04.2026 13:45
Last: 29.04.2026 13:45
Sources 1
About this happening:
**Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...
Vect ransomware flawed ChaCha20 implementation destroys large files
Technical AnalysisAbout this happening: **Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...
VECT 2.0 ransomware-branded file destruction malware
Malware Activity
H score4
First: 28.04.2026 17:01
Last: 28.04.2026 17:01
Sources 1
About this happening:
The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
VECT 2.0 ransomware-branded file destruction malware
Malware ActivityAbout this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
Sicarii ransomware per-execution RSA key generation breaks decryption
Malware Activity
H score31
First: 28.01.2026 00:15
Last: 28.01.2026 00:15
Sources 1
About this happening:
The **Sicarii ransomware** now stands out for a **broken decryption process** that generates a new **RSA key pair** on each execution and discards the private key, leaving victims...
Sicarii ransomware per-execution RSA key generation breaks decryption
Malware ActivityAbout this happening: The **Sicarii ransomware** now stands out for a **broken decryption process** that generates a new **RSA key pair** on each execution and discards the private key, leaving victims...
Gentlemen ransomware operation using compromised credentials and exposed services
Malware Activity
H score18
First: 29.12.2025 16:26
Last: 29.12.2025 16:26
Sources 1
About this happening:
**Gentlemen ransomware** is actively extorting victims by using **compromised credentials** and **Internet-exposed services** to enter networks. It encrypts files, drops **README-...
Gentlemen ransomware operation using compromised credentials and exposed services
Malware ActivityAbout this happening: **Gentlemen ransomware** is actively extorting victims by using **compromised credentials** and **Internet-exposed services** to enter networks. It encrypts files, drops **README-...
Ransomware-as-a-service ecosystem splinters into 85-group market in Q3 2025
Threat Actor Meta
H score40
First: 14.11.2025 12:37
Last: 14.11.2025 12:37
Sources 1
About this happening:
**Q3 2025** marked a major **ransomware ecosystem** shift as **85 active groups** and **14 new brands** pushed the market toward fragmentation. The change raises risk because **fo...
Ransomware-as-a-service ecosystem splinters into 85-group market in Q3 2025
Threat Actor MetaAbout this happening: **Q3 2025** marked a major **ransomware ecosystem** shift as **85 active groups** and **14 new brands** pushed the market toward fragmentation. The change raises risk because **fo...
Timeline
-
16.09.2025 11:53 1 articles · 9mo ago
Yurei ransomware first observed with MidCity Marketing leak
Initial DisclosureYurei ransomware was first observed on Sept. 5, 2025 and targeted MidCity Marketing in Sri Lanka as its first known data-leak victim after an extortion attack exposed stolen company data.
Show sources
- Emerging Yurei Ransomware Claims First Victims — www.darkreading.com — 16.09.2025 11:53
-
16.09.2025 11:53 1 articles · 9mo ago
Yurei ransomware expands to India and Nigeria victims
Campaign Scope UpdateBy Sept. 9, 2025, Yurei ransomware had added two more victims from India and Nigeria, showing that the early double-extortion campaign was spreading beyond the initial Sri Lanka case.
Show sources
- Emerging Yurei Ransomware Claims First Victims — www.darkreading.com — 16.09.2025 11:53
-
16.09.2025 11:53 2 articles · 9mo ago
Yurei ransomware analysis exposes Prince-Ransomware base and VSS flaw
Technical Analysis UpdateCheck Point identified Yurei as a slightly modified Prince-Ransomware binary written in Go, noted that it does not delete Windows Volume Shadow Copy Service (VSS) shadow copies, and published indicators of compromise while advising organizations to keep VSS snapshots enabled for partial file recovery.
Show sources
- Emerging Yurei Ransomware Claims First Victims — www.darkreading.com — 16.09.2025 11:53
- Emerging Yurei Ransomware Claims First Victims — www.darkreading.com — 16.09.2025 11:53