RansomHouse upgrades encryption with multi-layered data processing

22.12.2025 2 minutes Author: Newsman

The RansomHouse ransomware-as-a-service operation has upgraded its encryptor, moving from a simple linear approach to a complex multi-layered model. The new technique strengthens encryption, complicates analysis, and significantly reduces the chances of partial data recovery.

According to a report by Palo Alto Networks Unit 42, the latest RansomHouse encryptor, dubbed Mario, introduces a two-stage data transformation using two separate keys — a 32-byte primary key and an 8-byte secondary key. This design increases encryption entropy and makes traditional decryption techniques far less effective.

In addition, Mario employs a new file processing strategy with dynamic chunk sizing for files larger than 8 GB and intermittent encryption. The non-linear processing order, complex mathematical calculations, and size-dependent logic significantly hinder static analysis and reverse engineering efforts.

  • Researchers also observed improved memory layout and buffer management, with multiple dedicated buffers used for different encryption stages. The updated encryptor continues to target virtualized environments, particularly VMware ESXi, renaming encrypted files with the .emario extension and dropping a standard ransom note across affected directories.

  • RansomHouse emerged in late 2021 as a data extortion operation before adopting full encryption capabilities and developing MrAgent, a tool designed to lock multiple ESXi hypervisors simultaneously. While the group is considered mid-tier in terms of attack volume, it has consistently evolved its tooling and experimented with multiple ransomware families.

Analysts note that RansomHouse prioritizes efficiency, reliability, and evasion over scale, focusing on improving encryption resilience to gain stronger leverage during ransom negotiations.

The ransom note dropped by the latest RansomHouse variant

The encryption upgrade underscores a broader shift in ransomware development toward more complex, unpredictable, and analysis-resistant mechanisms. Multi-layered encryption is increasingly becoming a standard for groups seeking to maximize impact and minimize the effectiveness of defensive recovery efforts.

Subscribe
Notify of
0 Коментарі
Oldest
Newest Most Voted
Found an error?
If you find an error, take a screenshot and send it to the bot.