The cybercrime group, named after Japanese ghosts but believed to be from Morocco, uses a modified version of the Prince-Ransomware binary that includes a flaw allowing for partial data recovery. However, an extortion threat remains.
September 16, 2025 By Elizabeth Montalbano
A new ransomware operator has emerged that relies on open source malware to launch double-extortion attacks that have claimed several victims. However, its ransomware has a flaw that gives victims a way to recover their stolen and encrypted data (at least partially).
Yurei ransomware, first observed on Sept. 5, has targeted its first data-leak victim — food manufacturing company MidCity Marketing in Sri Lanka, the stolen data of which was leaked by the group after an extortion attack, Check Point research revealed in a blog post this week. Two other victims, from India and Nigeria, were added by Sept. 9. The goal of Yurei — whose operators are believed to be in Morocco — is to rely on fear and the potential ramifications of data leakage to get victims to pay the ransom without data recovery, which is why the group already had some success, even in its early days, according to the post.
