From Linear to Complex: An Upgrade in RansomHouse Encryption

    Thursday, December 18, 2025 In: Threat Research Print

    Date: 12/18/2025

    Severity: High

    Summary

    RansomHouse is a ransomware-as-a-service operation run by the group known as Jolly Scorpius. Recent malware samples show a major upgrade in the group’s encryption capabilities. This analysis examines the encryption changes and their implications for defenders. Jolly Scorpius employs a double extortion model, combining data theft with file encryption. Since December 2021, at least 123 victims have been exposed on the RansomHouse leak site. The group has impacted critical sectors, causing financial losses, data breaches, and loss of public trust.

    Indicators of Compromise (IOC) List

    Hash :

    0fe7fcc66726f8f2daed29b807d1da3c531ec004925625855f8889950d0d24d8

    d36afcfe1ae2c3e6669878e6f9310a04fb6c8af525d17c4ffa8b510459d7dd4d

    26b3c1269064ba1bf2bfdcf2d3d069e939f0e54fc4189e5a5263a49e17872f2a

    8189c708706eb7302d7598aeee8cd6bdb048bf1a6dbe29c59e50f0a39fd53973

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    sha256hash IN ("0fe7fcc66726f8f2daed29b807d1da3c531ec004925625855f8889950d0d24d8","d36afcfe1ae2c3e6669878e6f9310a04fb6c8af525d17c4ffa8b510459d7dd4d","26b3c1269064ba1bf2bfdcf2d3d069e939f0e54fc4189e5a5263a49e17872f2a","8189c708706eb7302d7598aeee8cd6bdb048bf1a6dbe29c59e50f0a39fd53973")

    Reference:  

    https://unit42.paloaltonetworks.com/ransomhouse-encryption-upgrade/


    Tags

    MalwareThreat ActorRansomwareJolly ScorpiusCritical InfrastructureFinancial Services

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.