A new and emerging threat group, Yurei Ransomware, claims an organization in Nigeria among its earliest victims.
First observed on 5 September 2025, it is believed that those behind the attacks originate from Morocco and are low-skilled, according to a report by Check Point.
The threat group initially listed a Sri Lankan food manufacturing company called Midcity Marketing on their dark web portal on the date of observation.
Soon after, two new victims from Nigeria and India were added within four days, bringing the total number of victims to three.
Check Point did not disclose the names of the two victims; however, ransomware.live revealed that the affected Nigerian organization is a food brand.
A Low-Skilled Ransomware Gang
The group leverages an open-source malware framework called Prince-Ransomware, with minor modifications, but they left a flaw that allows partial recovery of stolen and encrypted data.
Written in the Go programming language, it is difficult for antivirus tools to detect, while also providing an easier development option for malware developers.
“While malware in Go is not uncommon, it still provides a challenge for some antivirus vendors to detect. Combined with an easier development experience than C or C++ and the ability to cross-compile to different platforms, Go continues to be an attractive choice for malware developers,” according to the Check Point blog.
They use a double-extortion model, where “they encrypt the victim’s files and exfiltrate sensitive data, and then demand a ransom payment to decrypt and refrain from publishing the stolen information.”
From a leaked ransom note, the group promised to provide a decryption tool — which victims can use to recover files — and a report of the vulnerabilities exploited, similar to a penetration test report, after payment.
That said, Check Point noticed Yurei’s “main pressure point for victims paying the ransom is the threat of data leakage.” They exploit victims’ fear of public data exposure, which may have severe implications for organizations.
How Organizations Can Defend Against Yurei Ransomware
Check Point revealed that the codebase of Yurei Ransomware has a “major flaw,” which allows the restoration of files to a previous snapshot without the stress of negotiating with the attackers.
The threat intelligence company explained, “It [Yurei Ransomware] does not delete existing shadow copies. Shadow copies are backup snapshots of files or entire volumes that, if enabled, are generated by the Volume Shadow Copy Service (VSS).”
“As Yurei does not include this functionality, if shadow copies are enabled, the victim can restore their files to a previous snapshot without having to negotiate with Yurei.”
However, this only solves part of the problem. The group can still leak the organization’s data, as recovery does not erase it from their end.
“Ransomware groups are increasingly shifting to data-theft-based extortion, so this only aids in operational recovery but does not protect against extortion.”
About Author
