A recent upgrade to the RansomHouse ransomware operation has added new concerns for enterprise defenders, introducing a multi-layered encryption update to the group’s double-extortion RaaS model.
Also tracked under the cluster Jolly Scorpius, the ransomware gang has transitioned from a simple, single-phase encryption routine to a multi-layered dual-key encryption architecture that increases the complexity of its extortion operations.
Detailed by Palo Alto Networks’ threat intelligence team, the update raises the bar for recovery once systems are compromised. The change affects how files are processed and encrypted during an attack, complicating analysis and limiting defenders’ ability to recover data without paying a ransom.
“The upgrade in encryption used by RansomHouse RaaS, going from a simple linear model to a more complex multi-layered approach, signals a concerning trajectory in ransomware development,” Unit42 researchers said in a blog post. “This demonstrates how threat actors are updating their techniques to enhance effectiveness.”
Researchers described the scale of RansomHouse’s operations as “significant”, with at least 123 victims listed on its data leak site spanning healthcare, finance, transportation, and government.
VMware ESXi-tuned encryption upgrade
The researchers confirmed that RansomHouse is moving away from a linear encryption model toward a multi-stage, dual-key process, which materially complicates decryption or key recovery. They tracked the updated encryptor under the name “Mario,” describing it as the ransomware component for the newly introduced multi-layered process.
In Unit42’s reverse engineering of Mario, analysts observed that the upgraded binary generates both a 32-byte primary and an 8-byte secondary encryption key, executing separate encryption passes that interlock.
For enterprises running virtual infrastructure, particularly VMware ESXi hosts, this development represents a pivot toward higher-impact compromise. RansomHouse’s tools specifically target ESXi files and backups, encrypting them with the “e.mario” extension while dropping ransom instructions for payment.
Combined with MrAgent, RansomHouse’s deployment and persistence utility, the RaaS framework impairs both operational continuity and recovery efforts, the researchers noted.
RansomHouse attempts double extortion
Beyond the cryptographic update, RansomHouse leverages a double extortion model, which involves exfiltrating data and threatening public disclosure in addition to encrypting it, to add pressure on victims to pay.
This layered pressure tactic, already a common feature of modern ransomware attacks, complicates incident response timelines and negotiating strategies for corporate security teams.
Unit 42’s disclosure also revealed that RansomHouse operates with a modular attack chain separating operators (tool developers and leak managers) from attackers/affiliates (those who gain access and deploy the ransomware). This model allows the RaaS to scale and adapt, even as individual affiliates rotate or rebrand.
The disclosure noted that detection strategies that rely solely on static signatures are increasingly insufficient against ransomware like RansmHouse that use dynamic, chunked encryption with multi-phase execution. Investing in behavioral analytics, real-time monitoring, hardened segmentation, and regular backup validation remains essential. Unit 42 has published indicators of compromise (file hashes, file extensions, and ransom note artifacts) tied to the updated RansomHouse tooling, urging enterprises to proactively hunt for related activity across affected endpoints and virtualized environments.
No Responses