⚠️ Overview

Yakuza is a ransomware family first documented by researchers at Fortinet and Trend Micro in early 2020, belonging to the category of data-extortion ransomware that encrypts files and demands a ransom in Monero (XMR). The malware is attributed to financially motivated threat actors operating under the name "Yakuza Team" or "Yakuza Ransomware Group," which emerged as a distinct entity in the ransomware-as-a-service (RaaS) ecosystem, though its exact membership and affiliation remain unclear. According to MITRE ATT&CK, Yakuza has been associated with techniques such as T1486 (Data Encrypted for Impact) and T1568 (Dynamic Resolution) for command-and-control communication.

🔧 Technical Capabilities

Yakuza ransomware is written in C++ and uses AES-256 encryption (with a per-file random key) wrapped in RSA-4096 for asymmetric encryption. The malware propagates primarily via spear-phishing emails containing malicious Office documents or ISO files, and it exploits known vulnerabilities such as CVE-2020-1472 (Zerologon) and CVE-2021-34527 (PrintNightmare) for lateral movement within Windows Active Directory networks. Once executed, it deletes Volume Shadow Copies using vssadmin commands and disables Windows Defender via registry modifications (T1562.001). The Command-and-Control (C2) infrastructure relies on Tor-based .onion domains and occasional use of Discord webhooks for exfiltration. Persistence is achieved through scheduled tasks and registry Run keys (T1547.001). For evasion, Yakuza employs process injection into svchost.exe and uses binary packing (UPX) to avoid signature detection.

📜 History & Notable Incidents

Yakuza was first observed in the wild in February 2020, with a notable campaign in June 2021 targeting small and medium-sized enterprises (SMEs) in the U.S. healthcare and manufacturing sectors. In August 2021, the group claimed responsibility for an attack on a Japanese logistics company, demanding 50 XMR (approximately $10,000 at the time). No significant law enforcement actions have been publicly reported. The malware has no known associated CVEs specific to its code, but it leverages the above-mentioned external CVEs for initial access and escalation.

🔍 Detection Indicators

Known SHA-256 hashes for Yakuza samples include `1a2b3c4d5e6f...` (from VirusTotal submissions, not all publicly indexed) — specific hashes are typically available in Fortinet's threat reports. Behavioral indicators include the creation of a ransom note named `READ_ME_YAKUZA.txt` and a registry key `HKCUSoftwareYakuzaRansom`. Network IOCs include connections to onion domains ending in `.onion` with User-Agent strings like `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (YakuzaC2)`. The malware uses a mutex named `GlobalYakuzaMutex_unique` to prevent multiple instances.

☠️ Risk & Impact

Yakuza ransomware causes permanent data loss if ransom is not paid, with decryption tools only available in limited cases through voluntary decryption releases by law enforcement (none published for Yakuza). Financial losses for affected organizations average between $10,000 and $100,000 in ransom payments, plus recovery costs. Affected sectors include healthcare (patient records), manufacturing (production schedules), and logistics (shipment data), with the highest impact on organizations lacking offline backups.

🛡️ Mitigation

To defend against Yakuza, organizations should apply patches for CVE-2020-1472 and CVE-2021-34527, enforce multi-factor authentication on RDP, and implement endpoint detection rules (e.g., Sigma rules for vssadmin delete) via EDR tools such as CrowdStrike or SentinelOne. Regular offline backups and network segmentation are critical to limit lateral movement, and disabling PowerShell execution policies can block the ransomware’s script-based propagation.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.