Ransomhouse Upgrades Encryption With Multi-layered Data Processing

The RansomHouse ransomware-as-a-service (RaaS) has recently upgraded its encryptor, switching from a relatively simple single-phase linear technique to a more complex, multi-layered method.

In practice, the upgrades offer stronger encryption results, faster speeds, and better reliability on modern target environments, giving threat actors stronger leverage during post-encryption negotiations.

RansomHouse launched in December 2021 as a data extortion cybercrime operation, later adopting encryptors in attacks and developing an automated tool called MrAgent to lock multiple VMware ESXi hypervisors at once.

Recently, it was reported that the threat actors used multiple ransomware families against the Japanese e-commerce giant Askul Corporation.

A new report from researchers at Palo Alto Networks Unit 42 sheds more light on RansomHouse’s toolset, including its latest encryptor variant, dubbed ‘Mario.’

RansomHouse’s latest encryptor variant switches from a single-pass file data transformation to a two-stage transformation that leverages two keys, a 32-byte primary and an 8-byte secondary key.

This approach increases the encryption entropy and makes partial data recovery harder.

The second major upgrade is the introduction of a new file processing strategy that uses dynamic chunk sizing at a threshold of 8GB, with intermittent encryption.

Unit 42 says this makes static analysis more difficult due to its non-linearity, use of complex math to determine the processing order, and the use of distinct approaches for each file based on its size.

Another notable upgrade in ‘Mario’ is the better memory layout and buffer organization, and higher complexity, with multiple dedicated buffers now used for each encryption stage or role.

Source: BleepingComputer