The Yurei ransomware campaign, active since September 2025, represents a double extortion threat where attackers encrypt victim data and threaten to leak stolen information via a Tor-hosted leak site. Yurei is reportedly derived from Prince Ransomware, an open-source ransomware family written in the Go programming language, which facilitates rapid development and deployment. Check Point researchers observed that all known samples were initially submitted to VirusTotal from Morocco, suggesting possible origin or testing activities in that region. One sample lacked a ticket ID, indicating it may be a developer test build. Notably, Yurei samples contain references to SatanLockv2 ransomware, implying shared code or toolkits between these ransomware families. The campaign uses multiple tactics including network scanning (T1046), execution of commands (T1059.001), credential access via valid accounts (T1078), and use of remote access tools like AnyDesk (T1550.002). The operators run their own Tor-based data leak site, consistent with double extortion ransomware trends. Despite the low number of victims publicly listed, the exposure of the operator toolkit and indicators such as file hashes provides defenders with actionable intelligence. No known exploits are currently active in the wild, but the campaign’s modular nature and use of open-source code could facilitate rapid evolution and wider targeting. The medium severity rating reflects the moderate impact on confidentiality, integrity, and availability, combined with the need for authentication and some user interaction for initial access.

Yurei ransomware poses a significant threat to organizations by combining data encryption with the risk of sensitive data leakage, increasing pressure on victims to pay ransoms. The double extortion tactic can cause severe reputational damage, legal liabilities, and operational disruption. The use of open-source ransomware code lowers the barrier for attackers to customize and deploy variants, potentially increasing the campaign’s reach. The inclusion of credential theft and remote access tools enables lateral movement within networks, escalating the risk of widespread compromise. Although the current victim count is low, the campaign’s presence on the Tor leak site indicates active extortion attempts. Organizations with inadequate network segmentation, weak credential management, or exposed remote access services are particularly vulnerable. The medium severity suggests that while the threat is not yet widespread or highly destructive, it has the potential to cause moderate to significant operational and financial impacts if successfully deployed.

Organizations should implement multi-factor authentication (MFA) across all remote access and privileged accounts to mitigate credential abuse. Network segmentation and strict access controls can limit lateral movement and contain infections. Continuous monitoring for unusual network scanning activity (T1046) and command execution (T1059.001) is critical to early detection. Deploy endpoint detection and response (EDR) solutions capable of identifying ransomware behaviors and known Yurei indicators, including the provided file hashes. Restrict or monitor the use of remote access tools like AnyDesk, ensuring they are only used when necessary and secured properly. Regularly back up critical data with offline or immutable storage to enable recovery without paying ransom. Conduct phishing awareness training to reduce the risk of initial compromise. Finally, monitor Tor sites and threat intelligence feeds for updates on Yurei activity and indicators to stay ahead of evolving tactics.