• Home
  • cyber
  • Unnamed Victims: Yurei Ransomware Uses Common Tools, Adds Stranger Things References
cyber Ransomware

Unnamed Victims: Yurei Ransomware Uses Common Tools, Adds Stranger Things References

Sep 1, 2025 2 min read
Unnamed Victims: Yurei Ransomware Uses Common Tools, Adds Stranger Things References

New Yurei Ransomware Campaign Leverages *Stranger Things*-Themed Tools in Aggressive Extortion Attacks

Researchers at Team Cymru have uncovered a sophisticated extortion campaign tied to the Yurei ransomware toolkit, operated by a threat group first observed in September 2025. The attackers stand out for their use of pop-culture references, naming malicious tools after characters and themes from Stranger Things including a PowerShell script dubbed Vecna.ps1 and the ransomware payload StrangerThings.exe.

Unlike traditional ransomware groups that develop custom malware, the Yurei operators assemble modular toolkits from readily available resources, lowering the barrier to entry for cybercrime. Their attack chain begins with stolen credentials purchased from criminal marketplaces, followed by network reconnaissance using tools like SoftPerfect NetScan and NetExec. To escalate privileges, they deploy Rubeus, a tool that exploits Windows authentication systems to gain administrator-level access.

Once inside, the group maintains persistence by installing AnyDesk, a legitimate remote-desktop application often overlooked by security software. The Vecna.ps1 script then lies dormant, waiting for a user login to trigger the execution of StrangerThings.exe, the ransomware payload. Notably, Yurei is not an original creation but a repurposed version of Prince Ransomware, an open-source strain written in Go, allowing the attackers to operate without advanced development skills.

Before encrypting files, the group disables security defenses using FixingIssues2.ps1, which neutralizes Windows Defender and other protections. They also employ SDelete to permanently erase evidence and delete shadow copies, eliminating recovery options for victims.

Between December 2025 and January 2026, Team Cymru tracked the group’s activity via NetFlow analysis, observing their lateral movement through networks using tools like PsExec. While their public leak site currently lists only three confirmed victims, the ease of deploying these attacks has raised concerns among experts about the growing accessibility of ransomware operations. The campaign highlights how low-skill threat actors can now launch high-impact attacks with minimal effort.

Source: https://hackread.com/yurei-ransomware-tools-stranger-things-references/

InfraShield cybersecurity rating report: https://www.rankiteo.com/company/infrashield-com

"id": "INF1775140237",
"linkid": "infrashield-com",
"type": "Ransomware",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'attack_vector': 'Stolen credentials',
 'data_breach': {'data_encryption': 'Yes'},
 'date_detected': '2025-09-01',
 'description': 'Researchers at Team Cymru have uncovered a sophisticated '
                'extortion campaign tied to the Yurei ransomware toolkit, '
                'operated by a threat group first observed in September 2025. '
                'The attackers use pop-culture references, naming malicious '
                'tools after characters and themes from *Stranger Things*, '
                'including a PowerShell script dubbed Vecna.ps1 and the '
                'ransomware payload StrangerThings.exe. The group assembles '
                'modular toolkits from readily available resources, beginning '
                'attacks with stolen credentials, followed by network '
                'reconnaissance and privilege escalation. They maintain '
                'persistence using AnyDesk and deploy ransomware after '
                'disabling security defenses. The campaign highlights the '
                'growing accessibility of ransomware operations for low-skill '
                'threat actors.',
 'initial_access_broker': {'backdoors_established': 'AnyDesk',
                           'entry_point': 'Stolen credentials'},
 'investigation_status': 'Ongoing',
 'motivation': 'Extortion',
 'post_incident_analysis': {'root_causes': 'Use of modular toolkits, stolen '
                                           'credentials, and lack of advanced '
                                           'development skills by threat '
                                           'actors'},
 'ransomware': {'data_encryption': 'Yes',
                'ransomware_strain': 'Yurei (repurposed Prince Ransomware)'},
 'references': [{'source': 'Team Cymru'}],
 'threat_actor': 'Yurei ransomware group',
 'title': 'New Yurei Ransomware Campaign Leverages *Stranger Things*-Themed '
          'Tools in Aggressive Extortion Attacks',
 'type': 'Ransomware'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.