Level Up: RansomHouse Deploys the “Mario” Encryptor to Crush ESXi Hypervisors

The group behind one of the most notorious ransomware distribution services, RansomHouse, has significantly strengthened the technical sophistication of its attacks. According to analysts, the cybercriminals have introduced an updated encryption tool distinguished by a more complex architecture and expanded functionality. The changes affect both the file-processing algorithm itself and the techniques designed to hinder subsequent analysis.

RansomHouse has been active since late 2021, initially focusing on data leaks before shifting toward the widespread deployment of encryption-based attacks. The operation has evolved steadily, including the introduction of the MrAgent utility for mass disruption of VMware ESXi hypervisors. One of the most recent high-profile incidents involved the use of multiple ransomware variants against the Japanese e-commerce company Askul.

A recent report from Palo Alto Networks’ Unit 42 team details a new encryptor variant dubbed “Mario.” Unlike earlier versions that relied on single-stage processing, this updated iteration employs a two-phase approach using two keys—a primary 32-byte key and an auxiliary 8-byte key. This design substantially increases cryptographic strength and makes data recovery attempts far more difficult.

Additional protection is provided by a redesigned file-processing mechanism. Instead of a linear scheme, the encryptor now uses dynamic block segmentation with an 8 GB threshold and partial encryption. The size and handling of each file depend on its volume and are calculated through complex mathematical operations. This approach complicates static analysis and renders the encryptor’s behavior far less predictable.

The memory management model has also been overhauled: separate buffers are now allocated for each stage of encryption. This increases code complexity and reduces the likelihood of detection during analysis. Moreover, the new version outputs more detailed information while processing files, whereas earlier builds were limited to a simple completion message.

Virtual machine files remain the primary targets of the attacks and are renamed with the “.emario” extension once encrypted. Each affected directory contains a ransom note with instructions for restoring access to the data.

Unit 42 researchers warn that this evolution of the RansomHouse encryptor is a troubling signal. The heightened complexity not only impedes decryption but also significantly complicates sample analysis, pointing to a deliberate strategy that prioritizes efficiency and stealth over sheer scale.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy