RansomHouse

RansomHouse is a financially motivated cyber extortion and ransomware-as-a-service group that emerged in late 2021. Known aliases in the provided content include Jolly Scorpius and RansomHouse Group. The group is described as using double extortion, combining data theft with threats to leak stolen data, and it has also been associated with extortion-only activity in which payment is sought for data deletion rather than decryption. RansomHouse presents itself as a “professional mediator community” and negotiates with victims through Tor-based chat infrastructure that supports English and Chinese. The content links RansomHouse to attacks and claims involving healthcare providers, retailers, government agencies, technology firms, manufacturers, and critical infrastructure operators. Mentioned victims or claimed victims include Trellix, AMD, Mission Community Hospital, IFX Networks, Irec SAS/Vivaticket, Luxshare, Askul, Warren County Sheriff’s Office, and Greater Pittsburgh Orthopaedic Associates. The group has also been cited in reporting on attacks affecting Colombian government entities via IFX Networks and disruptions to thousands of European cultural sites through the Vivaticket ecosystem. RansomHouse is described as typically exploiting exposed services, weak credentials, phishing, and vulnerable remote access systems. In one analyzed case, the attackers claimed initial access via Citrix remote access exploitation and compromise of VMware ESXi infrastructure, followed by abuse of weak domain credentials, domain control, and backdoor deployment. The group is associated with the Mario ESXi ransomware variant, which is described as sharing lineage with leaked Babuk source code, and with a deployment tool called MrAgent used to automate ransomware execution across Windows and Linux-based virtualized environments, especially VMware ESXi. MrAgent is described as a C2-driven agent that can identify hosts, disable the ESXi firewall, execute commands, collect hypervisor and VM inventory, and orchestrate ransomware deployment at scale. The content also ties RansomHouse to modern defense-evasion tooling. ESET observed DemoKiller deployed once during a RansomHouse intrusion, and broader reporting states that groups including RansomHouse have used commercial EDR killers sourced from underground marketplaces. RansomHouse is further described as often targeting VMware ESXi infrastructure and seeking privileged access through weak domain credentials and monitoring systems. The group has been linked in the content to both encryption and non-encryption extortion operations. Reporting specifically notes that newer groups adopting encryption-less or extortion-only methods include RansomHouse, alongside BianLian and Karakurt. At the same time, other reporting describes RansomHouse as conducting double extortion and using ransomware tooling in victim environments. No nation-state attribution is established in the provided content. One report states that Iranian actors have been known to work as affiliates with Russian ransomware gangs such as NoEscape, RansomHouse, and ALPHV/BlackCat, but this does not identify RansomHouse itself as a state actor.