RansomHouse RaaS: Double Extortion Upgrade

December 18, 2025 Faeem BLOGS 0

The RansomHouse ransomware-as-a-service (RaaS) platform, operated by the group Jolly Scorpius, has introduced a double extortion strategy that combines data theft with encryption, intensifying pressure on victims to pay.

Key Findings

  • Active since: December 2021.
  • Victims: At least 123 organizations across healthcare, finance, transportation, and government.
  • Attack chain:
    • Initial access via spear-phishing or exploitation of vulnerable systems.
    • Lateral movement to identify critical infrastructure and valuable data.
    • Deployment of specialized tools to maximize impact in virtualized environments.
  • Targeting: Focus on VMware ESXi hypervisors, enabling mass encryption of virtual machines for maximum disruption.

Technical Machinery

  • MrAgent (management tool):
    • Persistent C2 connections.
    • Automates ransomware deployment across ESXi.
    • Handles host identification, firewall disabling, and orchestration of encryption.
  • Mario (encryptor):
    • Upgraded version: Two-stage encryption using primary + secondary keys.
    • Sparse encryption: Encrypts specific file blocks at calculated offsets, complicating static analysis.
    • Non-linear processing: Uses mathematical formulas to determine chunk order based on file size.
    • Targets: Virtualization-specific files (VMDK, VMEM, VMSD, VMSN, VSWP) and Veeam backup files.

Impact

  • Operational disruption: ESXi compromise cascades across dozens/hundreds of VMs.
  • Negotiation leverage: Victims face both data theft exposure and encrypted infrastructure.
  • Decryption difficulty: Two-stage + sparse encryption makes recovery harder without paying ransom.

Defensive Measures

  • For enterprises:
    • Harden ESXi environments; restrict management interfaces to trusted networks.
    • Apply latest VMware patches and disable unused services.
    • Monitor for MrAgent-like persistence and unusual firewall changes.
    • Protect backups: enforce immutability, offline storage, and test restoration.
    • Deploy EDR/XDR capable of detecting sparse encryption patterns and anomalous PowerShell/VMware commands.
  • For SOC teams:
    • Hunt for suspicious lateral movement tied to credential theft.
    • Monitor for unusual access to VMDK/Veeam files.
    • Detect sparse encryption activity (non-linear file block access).
    • Correlate ransomware deployment attempts with C2 beaconing.

Takeaway

RansomHouse’s evolution shows how RaaS groups are professionalizing operations, separating roles across operators, attackers, and infrastructure providers. By combining data theft with advanced ESXi-targeted encryption, they maximize leverage in negotiations and complicate recovery.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.