From Linear to Complex: An Upgrade in RansomHouse Encryption unit42.paloaltonetworks.com/ransomhou…
RansomHouse is a ransomware-as-a-service (RaaS) operation run by a group that we track as Jolly Scorpius. Recent samples of the associated binaries used in RansomHouse operations reveal a significant upgrade in encryption. This article explores the upgrade of RansomHouse encryption and the potential impact for defenders.
Jolly Scorpius uses a double extortion strategy. This strategy combines stealing and encrypting a victim’s data with threats to leak the stolen data.
The scale of the group’s operations is significant. At the time of this article, at least 123 victims were listed on the RansomHouse data leak site as having their data disclosed or sold since December 2021.
This group has disrupted critical sectors including healthcare, finance, transportation and government. The consequences of these intrusions include significant financial losses, major data breaches and erosion of public trust in the affected organizations.
To better understand RansomHouse operations, we review its attack chain. We also examine the upgrade to this ransomware’s encryption from a simple, single-phase linear technique to a more complex, multi-layered method.
