The RansomHouse ransomware-as-a-service (RaaS) has recently upgraded its encryptor, switching from a relatively simple single-phase linear technique to a more complex, multi-layered method.
In practice, the upgrades offer stronger encryption results, faster speeds, and better reliability on modern target environments, giving threat actors stronger leverage during post-encryption negotiations.
RansomHouse launched in December 2021 as a data extortion cybercrime operation, later adopting encryptors in attacks and developing an automated tool called MrAgent to lock multiple VMware ESXi hypervisors at once.
Recently, it was reported that the threat actors used multiple ransomware families against the Japanese e-commerce giant Askul Corporation.
A new report from researchers at Palo Alto Networks Unit 42 sheds more light on RansomHouse’s toolset, including its latest encryptor variant, dubbed ‘Mario.’
New ‘Mario’ encryptor
RansomHouse’s latest encryptor variant switches from a single-pass file data transformation to a two-stage transformation that leverages two keys, a 32-byte primary and an 8-byte secondary key.
This approach increases the encryption entropy and makes partial data recovery harder.
'Mario' generating the two encryption keys
Source: Unit 42
... continue reading