When attacking an enterprise, yurei ransomware calculates all drives, and for each drive in parallel, it encrypted files to add a .Yurei extension, the security firms said. For encryption, yurei uses a random key, a random key to generate a random nonsus per file, and then encryps both with ECIE using the public key of the attacker.
It then tries to set a wallpaper. But as Yurei’s developer forgot to provide URL for wallpaper, it only displays a plain, solid color background (such as black) rather than showing ransom notes. Once the encryption is complete, the malware enters a new routine that monitors to continuously encrypted for new enclosed network drives. Yurei then provides the victim with a .onion page for further communication and price talks, Czech Point Research said Report,
Open-SOS Code Fuels Fast Entry
Yurei is almost fully made on the open-source ransomware code, known as Prince-Renomware, written in Go, but with some modifications. The same was identified as the danger actor did not snatch the symbols from the binary, resulting in the names of the function and the module. The same ransomware codebase was already used in campaigns by other actors, such as Crazyhunter, was recognized by the Czech Point Research.
