The ransomware landscape continues to evolve rapidly, with new groups leveraging open-source tools to accelerate their operations. One such emerging threat is Yurei ransomware, active since September 2025. Despite maintaining a relatively low profile with only a handful of publicly listed victims, Yurei presents a compelling case study in how modern ransomware campaigns operate efficiently using readily available resources.
Yurei follows a double extortion model, where attackers not only encrypt victim data but also threaten to leak sensitive information via their Tor-based data leak site. Interestingly, its limited victim count suggests either a targeted approach or an operation still in its developmental phase. Security researchers have linked Yurei to Prince Ransomware, an open-source Golang-based project, reinforcing the growing trend of threat actors repurposing publicly available codebases.
Infrastructure Discovery and Early Indicators
Between December 2025 and January 2026, researchers identified two open directories hosted on:
- 44[.]210.101.86
- 44[.]223.40.182
A screenshot from Scout’s Open Ports Tab for 44[.]223.40.182, 44.210.101[.]86., Source : cymru
Both IPs were associated with AS14618 (Amazon infrastructure). These exposed directories provided a rare glimpse into the operator’s toolkit and workflow. The presence of organized files and scripts allowed analysts to reconstruct the attack lifecycle—from initial access to final payload execution.
An unusual aspect of the toolkit was its “Stranger Things”-themed naming convention, hinting at either developer personalization or attempts to obfuscate intent.
Initial Access and Credential Acquisition
Evidence suggests that Yurei operators rely heavily on stolen credentials. Two ZIP files discovered on the server strongly resemble infostealer log bundles typically sold on underground marketplaces:
250815-rbnbzax1bs_pw_infected_2.zip250912-f9expsypv6_pw_infected.zip
These datasets likely contain harvested usernames and passwords, enabling attackers to bypass traditional perimeter defenses without exploiting vulnerabilities.
Reconnaissance and Network Enumeration
Once inside a network, the attackers deploy a range of tools for reconnaissance. These include:
- SoftPerfect NetScan for IP and service discovery
- NetExec (nxc.exe) for enumerating shares and users
- Everything.exe for rapid file searches
- A custom PowerShell script:
Host_Discovery.ps1
This phase is critical, as it allows attackers to map the environment and identify high-value targets such as domain controllers and sensitive file repositories.
Credential Theft and Privilege Escalation
To elevate privileges, Yurei operators utilize well-known offensive security tools:
- Rubeus.exe.bak for Kerberos abuse (Kerberoasting, AS-REP Roasting)
- Invoke-TheHash.ps1 for pass-the-hash attacks
These techniques enable attackers to escalate from a standard user to domain-level access without needing plaintext credentials.
Persistence Mechanisms
Maintaining long-term access is a key priority. Yurei achieves persistence using:
- AnyDesk, a legitimate remote access tool often abused as a backdoor
- winPEAS, which helps identify privilege escalation paths
Additionally, a PowerShell script named Vecna.ps1 establishes persistence via Windows Management Instrumentation (WMI). It ensures that a malicious executable runs every time explorer.exe starts, effectively embedding itself into normal system behavior.
Defense Evasion Techniques
One of the most concerning components is the script FixingIssues2.ps1, designed specifically to disable security controls. It:
- Disables Windows Defender protections
- Excludes critical directories (e.g.,
C:\) from scanning - Turns off real-time monitoring and behavior analysis
- Deletes shadow copies using:
vssadmin delete shadows /all /quiet - Disables System Restore via registry modifications
This level of defense evasion significantly reduces the chances of detection and recovery.
Lateral Movement Across Networks
To expand their foothold, attackers use:
- PsExec for remote command execution
- Invoke-SMBExec.ps1 for lateral movement via SMB
These tools allow rapid propagation across systems, especially in poorly segmented networks.
Payload Execution and Impact
The final payload, StrangerThings.exe, is the Yurei ransomware binary written in Golang. Once executed, it encrypts files and drops a ransom note titled:
README_Yurei.txt
Additionally, SDelete (sdelete.exe) is used to securely erase files, removing forensic evidence and complicating recovery efforts.
An intriguing finding was the presence of a file named w.exe, often associated with Akira ransomware, suggesting possible overlaps or shared tooling between ransomware groups.
Indicators of Compromise (IOCs)
Key Infrastructure:
- 44[.]210.101.86
- 44[.]223.40.182
Notable File Hashes:
- Host_Discovery.ps1:
1facf7cdd94eed0a8a11b30f4237699385b20578339c68df01e542d772ccbce5 - FixingIssues2.ps1:
ebfe75ab3223b036a4b886d497f2b172425b3e63890d485c99353773d4c436ea - Vecna.ps1:
26f51df1a12230b6bb583f3003c102a79106b049f89d9b9d43c6e85e072bd99e - StrangerThings.exe:
4f88d3977a24fb160fc3ba69821287a197ae9b04493d705dc2fe939442ba6461
Our Perspective on the Yurei Case
What makes Yurei particularly significant is not its scale but its methodology. This campaign highlights how the barrier to entry in cybercrime continues to shrink. By leveraging open-source ransomware like Prince and combining it with widely available offensive tools, even relatively inexperienced actors can orchestrate sophisticated attacks.
The reliance on credential-based access instead of zero-day exploits is also telling. It reflects a broader shift in attacker strategy—why break in when you can simply log in? This places increased responsibility on organizations to strengthen identity security, enforce multi-factor authentication, and monitor anomalous login behavior.
Another critical observation is the operational discipline shown by Yurei operators. Despite being a smaller campaign, their toolkit covers the full intrusion lifecycle: reconnaissance, persistence, lateral movement, and defense evasion. This suggests that even low-volume groups can pose high-impact risks.
Finally, the discovery of open directories underscores the importance of proactive threat intelligence. Identifying attacker infrastructure before large-scale attacks occur provides defenders with a valuable head start.
In our view, Yurei is less about immediate damage and more about what it represents: a growing ecosystem where ransomware development is commoditized. Organizations that fail to adapt to this reality risk facing increasingly frequent and efficient attacks in the near future.
