Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Yurei ransomware double-extortion operation

Malware Activity
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

A new ransomware operation has emerged using a modified Prince-Ransomware binary to run double-extortion attacks, and it has already claimed multiple victims. The malware is written in Go, which helps it cross-compile and may make detection harder for some defenses. A flaw in the sample leaves Windows VSS shadow copies intact, giving some victims a path to partial recovery.

Related Happenings

Vect ransomware flawed ChaCha20 implementation destroys large files

Technical Analysis
First: 29.04.2026 13:45 Last: 29.04.2026 13:45 Sources 1

About this happening: **Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...

Open Happening

VECT 2.0 ransomware-branded file destruction malware

Malware Activity
First: 28.04.2026 17:01 Last: 28.04.2026 17:01 Sources 1

About this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...

Open Happening

Sicarii ransomware per-execution RSA key generation breaks decryption

Malware Activity
First: 28.01.2026 00:15 Last: 28.01.2026 00:15 Sources 1

About this happening: The **Sicarii ransomware** now stands out for a **broken decryption process** that generates a new **RSA key pair** on each execution and discards the private key, leaving victims...

Open Happening

Ransomware-as-a-service ecosystem splinters into 85-group market in Q3 2025

Threat Actor Meta
First: 14.11.2025 12:37 Last: 14.11.2025 12:37 Sources 1

About this happening: **Q3 2025** marked a major **ransomware ecosystem** shift as **85 active groups** and **14 new brands** pushed the market toward fragmentation. The change raises risk because **fo...

Open Happening

LockBit ransomware return with 5.0 and 3.0 attacks

Malware Activity
First: 24.10.2025 18:15 Last: 24.10.2025 18:15 Sources 1

About this happening: **LockBit** resurfaced in active **ransomware** operations in **September 2025**, with at least a dozen victims hit and a mix of **LockBit 5.0** and **LockBit 3.0/LockBit Black**...

Open Happening

Timeline

  1. 16.09.2025 11:53 1 articles · 8mo ago

    Yurei ransomware first observed with MidCity Marketing leak

    Initial Disclosure

    Yurei ransomware was first observed on Sept. 5, 2025 and targeted MidCity Marketing in Sri Lanka as its first known data-leak victim after an extortion attack exposed stolen company data.

    Show sources
    Open in new tab
  2. 16.09.2025 11:53 1 articles · 8mo ago

    Yurei ransomware expands to India and Nigeria victims

    Campaign Scope Update

    By Sept. 9, 2025, Yurei ransomware had added two more victims from India and Nigeria, showing that the early double-extortion campaign was spreading beyond the initial Sri Lanka case.

    Show sources
    Open in new tab
  3. 16.09.2025 11:53 2 articles · 8mo ago

    Yurei ransomware analysis exposes Prince-Ransomware base and VSS flaw

    Technical Analysis Update

    Check Point identified Yurei as a slightly modified Prince-Ransomware binary written in Go, noted that it does not delete Windows Volume Shadow Copy Service (VSS) shadow copies, and published indicators of compromise while advising organizations to keep VSS snapshots enabled for partial file recovery.

    Show sources
    Open in new tab