Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

RansomHouse Mario encryptor upgrade

Malware Activity
First reported
Last updated
Happening score
H score 24
1 unique sources, 1 articles

Summary

Hide ▲

The RansomHouse ransomware operation has upgraded its Mario encryptor to a multi-layered design, making decryption and static analysis harder. The new variant uses a two-stage transformation with a 32-byte primary key and an 8-byte secondary key. It still targets VM files, appends the .emario extension, and drops How To Restore Your Files.txt on impacted directories. The changes improve encryption strength and reliability while giving operators more leverage during post-encryption negotiations.

Related Happenings

Vect ransomware flawed ChaCha20 implementation destroys large files

Technical Analysis
First: 29.04.2026 13:45 Last: 29.04.2026 13:45 Sources 1

About this happening: **Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...

Open Happening

VECT 2.0 ransomware-branded file destruction malware

Malware Activity
First: 28.04.2026 17:01 Last: 28.04.2026 17:01 Sources 1

About this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...

Open Happening

TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns

Threat Actor Meta
First: 31.03.2026 15:15 Last: 31.03.2026 15:15 Sources 1

About this happening: TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...

Open Happening

Vect ransomware activity with cross-platform encryption and double extortion

Malware Activity
First: 03.02.2026 16:00 Last: 03.02.2026 16:00 Sources 1

About this happening: Security researchers say **Vect** is a new **ransomware-as-a-service (RaaS)** operation that has already claimed victims in **Brazil** and **South Africa**. Its malware targets **...

Open Happening

CyberVolk VolkLocker RaaS debut targeting Linux/VMware ESXi and Windows

Malware Activity
First: 13.12.2025 17:11 Last: 13.12.2025 17:11 Sources 1

About this happening: **CyberVolk** expanded its **VolkLocker** ransomware operation in **August 2025**, putting **Linux/VMware ESXi** and **Windows** environments at risk. The malware’s **Golang timer...

Open Happening

Timeline

  1. 20.12.2025 17:23 2 articles · 5mo ago

    RansomHouse Mario encryptor upgrade analysis

    Technical Analysis Update

    RansomHouse’s Mario ransomware encryptor was upgraded from a single-pass file data transformation to a two-stage, multi-layered design that uses a 32-byte primary key and an 8-byte secondary key, dynamic chunk sizing at an 8GB threshold, intermittent encryption, and more complex memory and buffer organization. The variant still targets VM files, renames encrypted files with the .emario extension, and drops How To Restore Your Files.txt, while Unit 42 says the changes make static analysis, reverse engineering, and decryption harder and increase leverage in post-encryption negotiations.

    Show sources
    Open in new tab