“The upgrade in encryption used by RansomHouse RaaS, going from a simple linear model to a more complex multi-layered approach, signals a concerning trajectory in ransomware development,” Unit42 researchers said in a blog post. “This demonstrates how threat actors are updating their techniques to enhance effectiveness.”
Researchers described the scale of RansomHouse’s operations as “significant”, with at least 123 victims listed on its data leak site spanning healthcare, finance, transportation, and government.
VMware ESXi-tuned encryption upgrade
The researchers confirmed that RansomHouse is moving away from a linear encryption model toward a multi-stage, dual-key process, which materially complicates decryption or key recovery. They tracked the updated encryptor under the name “Mario,” describing it as the ransomware component for the newly introduced multi-layered process.
