From Linear to Complex: An Upgrade in RansomHouse Encryption

Dec. 21, 2025, 7:34 p.m.

Description

RansomHouse, a ransomware-as-a-service operation run by Jolly Scorpius, has undergone a significant upgrade in encryption methods. The attack chain involves operators developing tools, attackers deploying ransomware, and victims being targeted. Two key components, MrAgent and Mario, are used to compromise virtualized environments. MrAgent manages deployments, while Mario encrypts files. The upgraded version of Mario features a more complex two-stage encryption process, improved memory management, and dynamic file processing. These enhancements make the ransomware more efficient and resilient to analysis, signaling a concerning trend in ransomware development that could influence future variants.

External References

https://otx.alienvault.com/pulse/6942be14bf61e9c517d1a768
https://unit42.paloaltonetworks.com/ransomhouse-encryption-upgrade
Tags
encryption
ransomware-as-a-service
esxi
ransomhouse
virtualization
2025-12-17
mario
mragent

Date

  • Created: Dec. 17, 2025, 2:28 p.m.
  • Published: Dec. 17, 2025, 2:28 p.m.
  • Modified: Dec. 21, 2025, 7:34 p.m.

Indicators

  • 0fe7fcc66726f8f2daed29b807d1da3c531ec004925625855f8889950d0d24d8
  • d36afcfe1ae2c3e6669878e6f9310a04fb6c8af525d17c4ffa8b510459d7dd4d
  • 8189c708706eb7302d7598aeee8cd6bdb048bf1a6dbe29c59e50f0a39fd53973
  • 26b3c1269064ba1bf2bfdcf2d3d069e939f0e54fc4189e5a5263a49e17872f2a
Download all indicators here!

Attack Patterns

  • Jolly Scorpius

Additional Informations

  • Finance
  • Health
  • Transport
  • Government and administrations