From Linear to Complex: Upgrading RansomHouse Encryption
Executive Overview
RansomHouse operates as a ransomware-as-a-service (RaaS) outfit linked to a group we track as Jolly Scorpius. Recent samples tied to RansomHouse reveal a substantial enhancement in their encryption approach. This write-up breaks down the encryption upgrade and what it means for defenders.
Jolly Scorpius employs a double-extortion model: they steal data, encrypt it, and threaten to publish the exfiltrated information unless a ransom is paid.
The group runs at scale: as of this report, at least 123 victims appear on the RansomHouse data-leak site, with data either disclosed or sold since December 2021.
Their campaigns have disrupted critical sectors—healthcare, finance, transportation, and government—producing heavy financial losses, major breaches, and a deterioration of public trust in affected entities.
To understand RansomHouse more fully, we map its attack sequence and compare the encryption technique’s evolution—from a basic, single-pass linear method to a sophisticated, multi-layered scheme.
Defender-Focused Protections
Palo Alto Networks offers several layers of defense to mitigate these threats:
- Advanced WildFire
- Cortex Xpanse with the ASM add-on for XSIAM
If you suspect you’ve been compromised or need urgent assistance, reach Unit 42 Incident Response through the contact portal.
Related topics: Ransomware, ESXi
Actor Roles and the Attack Sequence
Despite portraying itself as an entity that exposes corporate weaknesses, Jolly Scorpius operates as a straightforward extortion venture. To illuminate RansomHouse in practical terms, we identify three roles, outline distinct phases of the attack chain, and show how these roles interact.
The RansomHouse chain comprises three roles:
- Operator: Maintains the RaaS platform and tools, oversees the data-leak site, and manages ransom collection infrastructure.
- Attacker: The affiliate who carries out intrusions, data exfiltration, and ransomware deployment.
- Victim: The target of the attacker.
Operators typically provide the backend for the service, including encryption tools and the infrastructure that victims negotiate with. They also handle wallets and laundering procedures for ransom payments.
Attackers, often called affiliates, may switch between RaaS programs as opportunities fluctuate. Their duties include gaining initial access, lateral movement, data exfiltration, and ransomware deployment.
RansomHouse attackers have shown a particular focus on VMware ESXi environments, a popular enterprise-grade hypervisor. Compromising ESXi enables attackers to encrypt many virtual machines in one stroke, maximizing disruption.
The RansomHouse model unfolds through four phases, with at least one of the three roles active in each:
1) Develop
2) Infiltrate
3) Exfiltrate and Deploy
4) Extort
Phase 1: Develop
Operators act as backbone suppliers, building the RaaS framework. They typically do not perform the initial intrusions themselves; that work is handed off to affiliates who leverage the services created in this phase.
Phase 2: Infiltrate
Attackers use spear-phishing and other social engineering techniques to breach targets. Other entry routes include exploiting vulnerable systems within the victim’s environment. After gaining access, attackers map the network, escalate privileges, move laterally, and identify valuable data.
Phase 3: Exfiltrate and Deploy
Following access, attackers exfiltrate sensitive information and deploy the ransomware. Data exfiltration often involves compression and transfer to attacker-controlled servers. RansomHouse relies on a modular structure consisting of a management tool and an encryptor.
The two core components are:
- Management tool: MrAgent, which automates and scales ransomware deployments across ESXi environments.
- Encryptor: Mario, which encrypts files and drops a ransom note with recovery instructions.
Phase 4: Extort
After data is stolen and files are encrypted, extortion begins. Operators typically drive this phase, coordinating negotiations in private chat channels and validating threats through public postings on Telegram and the data-leak site.
RansomHouse Components in Attacks
Mario and MrAgent are specifically designed to compromise virtualized infrastructures. In ESXi environments, an attacker deploys MrAgent to establish persistent access and communicate with the attacker’s command-and-control (C2) server. From there, commands are issued to facilitate data exfiltration, followed by Mario deployment to encrypt VM files.
MrAgent: the Deployment Tool
MrAgent serves as the primary operational tool, granting persistent access and scalable host management. Its key capabilities include:
- Identifying hosts and their IPs
- Disabling the firewall
- Maintaining C2 communications
The tool’s command set, controlled by the attacker, enables a range of actions from aborting encryption to executing commands on the ESXi host and mutating the ransomware deployment process. Examples include:
- Abort: halt encryption if the hypervisor is in a delay state after reboot
- Config: overwrite deployment configurations
- Exec: start encryption by changing root passwords and initiating VM encryption
- Info: fetch ESXi host details
- Run/Remove/Quit: execute or remove components as needed
- Welcome: set a custom welcome message on the host
These commands allow attackers to direct the encryption flow and adapt to defenses in real time.
Mario: The Encryptor
Mario’s core job is to encrypt critical VM files on the ESXi host. Researchers have identified two Mario variants—an original and an upgraded version—that reveal a progression in encryption sophistication.
Executive flow of Mario remains consistent across versions:
1) Create the ransom note
2) Identify target extensions
3) Encrypt files
4) Report statistics
Ransom Note
Mario creates a ransom note named How To Restore Your Files.txt in the directory of encrypted files, guiding victims on recovery options.
Targeted Extensions
Mario scans the specified directory for file types related to virtualization and backup data and excludes common non-targets. Target extensions include OVA, OVF, VBK, VBM, VIB, VMDK, VMEM, VMSD, VMSN, and VSWP, all associated with virtual machines or backups.
File Filtering
To avoid double-encryption, Mario ignores files containing strings like .marion, .emario, .lmario, .nmario, .mmario, and .wmario within their names.
Encryption Process and Progress Reporting
As encryption proceeds, Mario renames files with an appended extension such as .emario and shows progress indicators. A typical post-encryption report lists counts of encrypted, unencrypted, and skipped files, along with the total and total data encrypted.
Upgraded Encryption: What Changed
Two Mario versions have been identified: the original and an upgraded variant. A close look at their code blocks reveals a clear shift to a more intricate encryption routine in the newer version.
Key technical differences appear in four areas:
- Encryption logic
- Memory layout and buffering
- File processing approach
- Output/reporting format
Encryption Logic
The original Mario uses a single-pass encryption. The upgraded Mario adopts a two-stage, multi-key approach: a primary key and a secondary key, each applied in sequence to the data. The new scheme uses random values to generate a 32-byte primary key and an 8-byte secondary key, increasing the cryptographic complexity and the challenge of reversal without both keys.
Memory and Buffering
The older version utilizes a relatively simple memory layout and a larger stack frame. The upgraded variant employs a more compact stack frame with multiple buffers dedicated to the primary context, intermediate transformations, the secondary key, and an encrypted-file header. This refined organization supports the layered encryption strategy.
File Processing Strategy
Original Mario processes files linearly in fixed-sized chunks with a maximum boundary and completes after processing a final segment. In contrast, the upgraded Mario uses chunk-based processing with dynamic sizing and non-linear progression. It computes chunk sizes and offsets and sometimes encrypts selective blocks within a file, depending on the file’s characteristics.
Output and Reporting
Where the original version only announced completion for each file, the upgraded version provides detailed per-file progress and chunk-level updates, offering a richer view of its encryption activity.
Overall Impact
Although both variants ultimately encrypt files and rename them with the .emario extension, the upgraded Mario introduces a layered, chunked, multi-key encryption model that is more efficient and harder to reverse-engineer. This progression demonstrates a broader trend in ransomware toward more resilient and adaptive techniques.
Threat Implications and Defender Takeaways
The move from a straightforward linear method to a sophisticated multi-layered encryption approach signals a troubling evolution in ransomware capabilities. The upgraded scheme—featuring two-factor encryption, dynamic chunking, and more complex file-processing logic—raises the bar for decryption without the full key set and complicates static analysis.
What this means for defenders is a need for more dynamic, proactive strategies, including stronger monitoring of ESXi environments, rapid detection of deployment tools like MrAgent, and robust backups and segmentation to limit blast radius.
Protection guidance for customers
- WildFire: leverage ML-based analysis to detect emerging threats
- Cortex Xpanse with XSIAM ASM: monitor exposed ESXi surfaces and apply post-compromise detection for ESXi infections
- If you suspect compromise, contact Unit 42 Incident Response via the provided portal or reach the listed global phone lines for urgent assistance
Indicators of Compromise
- SHA256: 0fe7fcc66726f8f2daed29b807d1da3c531ec004925625855f8889950d0d24d8 (upgraded Mario sample)
- SHA256: d36afcfe1ae2c3e6669878e6f9310a04fb6c8af525d17c4ffa8b510459d7dd4d (original Mario sample)
- SHA256: 26b3c1269064ba1bf2bfdcf2d3d069e939f0e54fc4189e5a5263a49e17872f2a (MrAgent)
- SHA256: 8189c708706eb7302d7598aeee8cd6bdb048bf1a6dbe29c59e50f0a39fd53973 (MrAgent sample)
Additional Resources
- New RansomHouse activity and extortion market coverage
- Trellix analysis on RansomHouse am See
- Analyst1 overview of RansomHouse techniques
Controversy and Discussion
The upgraded encryption approach invites debate: is this a necessary step for threat actors seeking durability, or does it risk over-engineering and potential exposure under certain security controls? How should defenders balance investing in advanced detection for such multi-layered threats with practical protections that cover a broad range of ransomware variants? Share your thoughts in the comments: do you believe multi-key, chunked encryption represents a sustainable threat model for ransomware, or will defenders outpace it with adaptable defenses?
If you need more help, you can consult Unit 42 or reach out to your local security contacts for guidance on containment, eradication, and recovery.
