The RansomHouse ransomware-as-a-service (RaaS) has recently upgraded its encryptor, switching from a relatively simple single-phase linear technique to a more complex, multi-layered method.
In practice, the upgrades offer stronger encryption results, faster speeds, and better reliability on modern target environments, giving threat actors stronger leverage during post-encryption negotiations.
RansomHouse launched in December 2021 as a data extortion cybercrime operation, later adopting encryptors in attacks and developing an automated tool called MrAgent to lock multiple VMware ESXi hypervisors at once.
Recently, it was reported that the threat actors used multiple ransomware families against the Japanese e-commerce giant Askul Corporation.
A new report from researchers at Palo Alto Networks Unit 42 sheds more light on RansomHouse’s toolset, including its latest encryptor variant, dubbed ‘Mario.’
New ‘Mario’ encryptor
RansomHouse’s latest encryptor variant switches from a single-pass file data transformation to a two-stage transformation that leverages two keys, a 32-byte primary and an 8-byte secondary key.
This approach increases the encryption entropy and makes partial data recovery harder.
Source: Unit 42
The second major upgrade is the introduction of a new file processing strategy that uses dynamic chunk sizing at a threshold of 8GB, with intermittent encryption.
Unit 42 says this makes static analysis more difficult due to its non-linearity, use of complex math to determine the processing order, and the use of distinct approaches for each file based on its size.
Another notable upgrade in ‘Mario’ is the better memory layout and buffer organization, and higher complexity, with multiple dedicated buffers now used for each encryption stage or role.
Finally, the upgraded encryptor version now prints more detailed information for file processing compared with the older variants, which only declared the task completion.
The newer variant still targets VM files and renames the encrypted files with the ‘.emario’ extension, dropping a ransom note (How To Restore Your Files.txt) on all impacted directories.
Source: Unit 42
Unit 42 concludes that RansomHouse’s encryption upgrade is alarming, signaling “a concerning trajectory in ransomware development,” increasing the difficulty of decryption and making static analysis and reverse engineering harder.
RansomHouse is one of the longer-running RaaS operations, but it remains mid-tier in terms of attack volume. Its continued development of advanced tooling suggests a calculated strategy focused on efficiency and evasion rather than scale.
Broken IAM isn’t just an IT problem – the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what “good” IAM looks like, and a simple checklist for building a scalable strategy.