RansomHouse Mario encryptor ๐ฃ, law enforcement actions ๐จ, fraud document markets ๐, cybercrime prosecutions โ๏ธ
Daily Threat Intel Digest - 2025-12-21
๐ฏ Threat Actor Activity & Campaigns
[NEW] RansomHouse RaaS unveils “Mario” encryptor with multi-layered data processing
The RansomHouse ransomware-as-a-service (RaaS) group has significantly upgraded its encryptor, making data recovery and analysis substantially more difficult for defenders. Dubbed “Mario” by researchers at Palo Alto Networks Unit 42, the new encryptor replaces the previous single-pass encryption with a more complex two-stage process using both a 32-byte primary and an 8-byte secondary key RansomHouse upgrades encryption with multi-layered data processing. This multi-layered approach increases encryption entropy, hindering partial data recovery efforts. The update also introduces a new file processing strategy with dynamic chunk sizing for files over 8GB and intermittent encryption, a technique designed to thwart static analysis by creating non-linear processing patterns RansomHouse upgrades encryption with multi-layered data processing. This evolution signals a deliberate shift by RansomHouse from scale to efficiency and evasion, increasing pressure on victims during negotiations and complicating incident response for targeted organizations. The new variant continues to target VM files and renames encrypted data with a .emario extension RansomHouse upgrades encryption with multi-layered data processing.
๐ Policy & Industry News
[NEW] International law enforcement actions disrupt cybercrime operations A series of successful legal actions highlights ongoing efforts to dismantle cybercrime infrastructure and prosecute actors. U.S. authorities have charged an individual for operating online marketplaces that sold fraudulent documents like Montana driverโs licenses and passports, directly supporting cybercrime operations such as account takeovers and financial fraud Man Charged with Operating Online Marketplaces Selling Fraudulent Montana Driverโs Licenses and Other Identity Documents Used by Cybercriminals. Separately, a Nigerian national was convicted by a federal jury on charges of wire fraud, aggravated identity theft, and unauthorized computer access following his extradition from Ghana, showcasing the reach of international cooperation Nigerian National Convicted by Federal Jury of Wire Fraud, Aggravated Identity Theft, and Unauthorized Access to Protected Computer. Finally, a Ukrainian national pleaded guilty to conspiracy charges for his role in deploying Nefilim ransomware against companies globally, holding him accountable for significant disruption to victim organizations Ukrainian National Pleads Guilty to Conspiracy to Use Nefilim Ransomware to Attack Companies in the United States and Other Countries.
โก Quick Hits
- U.S. authorities have charged an individual for operating online marketplaces that sold fraudulent documents like Montana driverโs licenses and passports, directly supporting cybercrime operations Man Charged with Operating Online Marketplaces Selling Fraudulent Montana Driverโs Licenses and Other Identity Documents Used by Cybercriminals.
- A Nigerian national has been convicted by a federal jury on charges of wire fraud, aggravated identity theft, and unauthorized computer access following his extradition from Ghana Nigerian National Convicted by Federal Jury of Wire Fraud, Aggravated Identity Theft, and Unauthorized Access to Protected Computer.
- A Ukrainian national has pleaded guilty to conspiracy charges for his role in deploying Nefilim ransomware against companies in the United States and other countries Ukrainian National Pleads Guilty to Conspiracy to Use Nefilim Ransomware to Attack Companies in the United States and Other Countries.