Yurei is a recently identified ransomware group that surfaced in September 2025, initially targeting a food manufacturing company in Sri Lanka. This group employs a double-extortion ransomware model, which involves both encrypting victim files and exfiltrating sensitive data to pressure victims into paying ransoms. The ransomware used by Yurei is a derivative of the open-source Prince-Ransomware, written in the Go programming language, with minor modifications. Notably, the ransomware contains a flaw that allows partial recovery of encrypted data through the use of Windows Shadow Copies, which are snapshots of system files. Since its emergence, Yurei has expanded its operations to at least three victims across Sri Lanka, India, and Nigeria. The threat actor is suspected to originate from Morocco. The use of open-source ransomware lowers the technical barrier for entry, enabling less-skilled cybercriminals to launch effective ransomware campaigns. The malware leverages multiple tactics and techniques mapped to MITRE ATT&CK, including credential dumping, data exfiltration, process discovery, and defense evasion. Indicators of compromise include multiple file hashes and a Tor onion domain used for ransom communications. Although no known exploits are reported in the wild beyond these incidents, the rapid expansion and double-extortion approach highlight the operational risk posed by Yurei.

For European organizations, the emergence of Yurei ransomware represents a growing threat, especially to sectors similar to those initially targeted, such as manufacturing and food production. The double-extortion model increases the risk of data breaches and reputational damage, as stolen sensitive data may be leaked if ransoms are not paid. The ransomware's partial recoverability via Shadow Copies may reduce total data loss but does not eliminate operational disruption or data confidentiality risks. European organizations with supply chain links to South Asia or Africa could be indirectly affected through third-party compromises. Additionally, the use of open-source ransomware variants like Yurei lowers the entry barrier for attackers, potentially increasing the frequency of attacks across Europe. The threat actor's suspected Moroccan origin and targeting patterns suggest potential geopolitical motivations or opportunistic targeting, which could extend to European entities. The medium severity rating reflects moderate impact potential but also indicates that effective mitigation and incident response can reduce damage.

European organizations should implement targeted defenses against Yurei ransomware by: 1) Ensuring robust and frequent backups with offline or immutable storage to mitigate encryption impact, while also verifying backup integrity regularly. 2) Enabling and protecting Windows Shadow Copies, as they may allow partial recovery from this ransomware variant. 3) Implementing strict network segmentation and least privilege access to limit lateral movement and credential theft. 4) Deploying advanced endpoint detection and response (EDR) solutions capable of detecting behaviors associated with credential dumping, data exfiltration, and ransomware execution, especially those leveraging Go-based malware. 5) Monitoring for indicators of compromise such as the provided file hashes and suspicious Tor domain communications. 6) Conducting regular user awareness training focused on phishing and social engineering, which remain common initial infection vectors. 7) Applying timely security patches and disabling unnecessary services to reduce attack surface. 8) Collaborating with threat intelligence sharing platforms to stay updated on Yurei activity and emerging tactics. 9) Preparing and testing incident response plans that include ransomware-specific scenarios and data breach notification procedures.