Novel Yurei ransomware sets sights on Windows systems

Intrusions with the newly emergent Go-based Yurei ransomware have been launched to facilitate clandestine file encryption in Windows systems, GBHackers News reports. Aside from quickly encrypting files using the ChaCha20 algorithm and invoking PowerShell commands that facilitate Volume Shadow Copy, backup catalog, Windows event, and system log deletion, Yurei ransomware which was initially observed to compromise a food manufacturer in Sri Lanka also creates CIM sessions and PSCredential objects, as well as conducts remote execution, to enable lateral movement, an analysis from Cyfirma revealed. Writable SMB shares are then continuously enumerated for self-propagation before the execution of the secureDelete, cleanTraces, and wipeMemory functions. Despite resembling the open-source Prince ransomware in its Go binary, encryption schemes, and lack of VSS deletion deactivation, Yurei was noted to have been improved with parallel encryption. Such findings indicate the mounting use of modified open-source kits for illicit cyber activity.