RansomHouse upgrades encryptor with multi-layered processing
🔒 RansomHouse has upgraded its encryptor to a multi-layered variant called 'Mario', shifting from a single-pass linear transform to a two-stage process that uses a 32-byte primary key and an 8-byte secondary key. The change increases entropy, speeds processing, and aims to improve reliability on modern targets. It also introduces dynamic chunk sizing with intermittent encryption for files over 8GB, complicating static analysis. The updated binary targets VM files, appends the .emario extension, drops a How To Restore Your Files.txt ransom note, and Unit 42 warns this upgrade makes decryption and reverse engineering notably harder.
