Shanya is the latest in an emerging field of packing malware, selling obfuscation functionality in order to help ransomware actors reach their target.
December 10, 2025 By Alexander Culafi
You may be familiar with ransomware-as-a-service (RaaS), but now there's also packer-as-a-service.
Security vendor Sophos on Dec. 6 published research on "Shanya," a packer-as-a-service family that augments ransomware so it can avoid anti-malware software. While ransomware-as-a-service provides low-level attackers with extortion malware they might not be able to create otherwise, packers-as-a-service (PaaS) provide a shell around pre-existing ransomware that acts as an extra layer of obfuscation.
Shanya covers ground previously paved by PaaS operation HeartCrypt, which over the past year has firmly entrenched itself in the modern ransomware ecosystem. Sophos' Gabor Szappanos and Steeve Gaudreault say Shanya is "already favored by ransomware groups and taking over (to some degree) the role that HeartCrypt has played in the ransomware toolkit."
