Cybersecurity researchers identify ransomware using open-source tools

A newly emerged group, Yurei, is leveraging open-source ransomware code to launch double-extortion attacks, with confirmed victims in Sri Lanka, India, and Nigeria.
FunkSec, generative AI, ransomware, Avast, AI-assisted malware, phishing templates, cryptographic flaw, decryption tool, AI in cybercrime

A ransomware group calling itself Yurei first emerged on 5 September, targeting a food manufacturing company in Sri Lanka. Within days, the group had added victims in India and Nigeria, bringing the total confirmed incidents to three.

The Check Point researchers identified that Yurei’s code is largely derived from Prince-Ransomware, an open-source project, and this reuse includes retaining function and module names because the developers did not strip symbols from the compiled binary, making the link to Prince-Ransomware clear.

Yurei operates using a double-extortion model, combining file encryption with theft of sensitive data. Victims are pressured to pay not only for a decryption key but also to prevent stolen data from being leaked.

Yurei’s extortion workflow involves posting victims on a darknet blog, sharing proof of compromise such as internal document screenshots, and offering a chat interface for negotiation. If a ransom is paid, the group promises a decryption tool and a report detailing the vulnerabilities exploited during the attack, akin to a pen-test report.

Preliminary findings (with ‘low confidence’) suggest that Yurei may be based in Morocco, though attribution remains uncertain.

The emergence of Yurei illustrates how open-source ransomware projects lower the barrier to entry, enabling relatively unsophisticated actors to launch effective campaigns. The focus on data theft rather than purely encryption may represent an escalating trend in modern cyberextortion.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!