539/68 Monday, December 22, 2025
RansomHouse, a ransomware group operating under a Ransomware-as-a-Service (RaaS) model, has been observed upgrading its file-encryption tool from a single-stage process to a more complex multi-layer encryption scheme. The new approach uses two encryption keys-a 32-byte primary key and an 8-byte secondary key-significantly increasing encryption complexity, reducing the chances of data recovery, and improving speed and stability on modern system environments.
The new version, dubbed “Mario,” introduces changes to file-handling strategies by processing files in chunks with dynamic block sizes. For files larger than 8 GB, it combines this approach with intermittent encryption, making direct code inspection and analysis more difficult. This is due to non-linear processing sequences, more complex calculations, and different encryption methods applied based on file size. The encryption process also involves more sophisticated memory management and temporary storage handling at each stage.
The latest encryptor specifically targets virtualized environments, particularly virtual machine (VM) files. Encrypted files are renamed with the .emario extension, and a ransom note titled “How To Restore Your Files.txt” is dropped in every affected directory.
Researchers warn that this upgrade reflects a troubling trend in ransomware development, where attackers focus on making decryption and reverse engineering increasingly difficult. This indicates a strategic shift toward improving efficiency and evasion capabilities rather than simply increasing the volume of attacks.
