Mario’s Deadly Upgrade: RansomHouse Unveils Dual-Key Encryption to Defeat Backups and Recovery

Jolly Scorpius, the cybercriminal group behind the notorious RansomHouse operation, has rolled out a major overhaul of its encryption engine, ditching its previously simple tactics for a complex, multi-layered attack method designed to baffle security researchers and lock down victim data tighter than ever before.

A new analysis by Unit 42 researchers reveals that the group has upgraded its core binary—dubbed “Mario”—transforming it from a basic threat into a highly adaptive weapon.

For years, RansomHouse (a Ransomware-as-a-Service operation) was known for a relatively straightforward approach to locking files. That has changed. The latest samples of their “Mario” malware show a shift away from simple linear encryption to a sophisticated new methodology.

“The upgrade in encryption used by RansomHouse RaaS, going from a simple linear model to a more complex multi-layered approach, signals a concerning trajectory in ransomware development,” the report states.

The new “Mario” doesn’t just scramble files; it processes them in dynamic chunks. Instead of a predictable, static method, the malware now uses chunked file processing with dynamic sizing, making static analysis and reverse engineering significantly more challenging for defenders.

Perhaps the most alarming feature of this upgrade is the introduction of a dual-key system. In a move that mimics legitimate security protocols, the attackers have implemented a two-factor encryption scheme.

According to the report, this mechanism “significantly increases the difficulty of decryption without both keys”. This evolution means that even if defenders manage to recover one part of the key, the data remains cryptographically sealed, effectively hardening the ransom capability against recovery tools.

Jolly Scorpius is not a new player. Since December 2021, the group has claimed at least 123 victims on their data leak site, disrupting critical sectors including “healthcare, finance, transportation and government”. Their strategy is a classic “double extortion” model: stealing sensitive data and threatening to leak it while simultaneously encrypting the victim’s systems.

This technical leap suggests that the group is investing heavily in R&D to stay ahead of endpoint detection systems. The upgrade isn’t just a patch; it’s a statement of intent.

“Threat actors could view this as a useful path for future ransomware variants,” researchers warned. “As other ransomware groups adopt these more sophisticated methods, the ransomware threat landscape will become more resilient to security controls”.

The evolution of RansomHouse serves as a stark reminder that cybercriminals are constantly refining their tradecraft. Security teams relying on static defenses against known behaviors may find themselves outmaneuvered by this new generation of adaptive threats.

As the report concludes: “This upgrade underscores the need to adopt more dynamic, adaptive strategies capable of countering the next generation of complex and evasive threats”.

Related Posts:

• Double Trouble: RansomHouse’s Extortion Tactics Revealed
• BianLian, White Rabbit, and Mario Ransomware Gangs Team Up for Mega-Extortion
• Ignoble Scorpius Strikes Again: The Rise of BlackSuit Ransomware
• Emergence of Repellent Scorpius: Distributors of Cicada3301 Ransomware
• KartLANPwn (CVE-2024-45200) Exploits Mario Kart 8 Deluxe LAN Play Feature for RCE