From Linear to Complex: An Upgrade in RansomHouse Encryption

This article analyzes RansomHouse, a RaaS operation run by the group tracked as Jolly Scorpius, detailing its attack chain, tooling (MrAgent and Mario), and the scope of its operations. It highlights an upgrade in Mario’s encryption from a single-pass linear method to a two-stage, chunked process using primary and secondary keys that makes decryption and static analysis more difficult. #RansomHouse #Mario

Keypoints

RansomHouse is a RaaS operated by a group tracked as Jolly Scorpius that uses a double extortion model combining data theft and encryption for leverage.
The group targets VMware ESXi environments to maximize impact by encrypting many VMs at once, with at least 123 victims listed on their leak site since December 2021.
RansomHouse operations use a two-component modular architecture: MrAgent (management/deployment tool) and Mario (encryptor) to persist, exfiltrate, and encrypt VM files.
MrAgent provides persistent C2 connectivity, host reconnaissance (hostname, MAC, IP), firewall disabling, remote command execution, and orchestrates Mario deployment.
Mario’s encryption has evolved from a single-pass linear routine to an upgraded multi-layered approach featuring a 32-byte primary key, an 8-byte secondary key, chunked/dynamic processing, and sparse encryption.
The upgraded Mario increases resilience to analysis and decryption by using two separate keys, variable chunk sizes, and selective block encryption while still producing ransom notes and .emario file extensions.

MITRE Techniques

[T1566 ] Phishing – Initial access via spear phishing and social engineering: ‘compromise victims through spear phishing emails or other social engineering techniques.’
[T1190 ] Exploit Public-Facing Application – Use of zero-day or other exploits against vulnerable systems for initial access: ‘initial access vectors include vulnerable systems in a victim’s environment that attackers can compromise through zero-day or other exploits.’
[T1021 ] Lateral Movement – Post-compromise reconnaissance and movement across the environment: ‘the remainder of the infiltration phase includes reconnaissance to map the environment, privilege escalation, lateral movement and identifying valuable or sensitive information.’
[T1105 ] Ingress Tool Transfer – Deploying the encryptor to the target host by downloading and executing Mario via MrAgent: ‘attackers instruct MrAgent to download and execute the Mario encryptor, which runs directly on the hypervisor to encrypt virtual machine (VM) files.’
[T1071 ] Application Layer Protocol – Persistent C2 communications and periodic connectivity checks between MrAgent and the attacker’s server: ‘MrAgent establishes a persistent connection to the attacker’s command-and-control (C2) server’ and ‘MrAgent’s function to check for connectivity to the C2 server runs in an infinite loop.’
[T1041 ] Exfiltration Over C2 Channel – Data theft and transfer to attacker-controlled servers using compression and transfer utilities: ‘Typical data exfiltration techniques involve file compression and file transfer utilities, and attackers usually send data to servers under their control.’
[T1486 ] Data Encrypted for Impact – Encrypting VM and backup files and leaving ransom notes to demand payment: ‘After encrypting files, Mario drops a ransom note that contains instructions for victims to recover their files.’

Indicators of Compromise

[File Hashes ] Sample binaries associated with RansomHouse components – 0fe7fcc66726f8f2daed29b807d1da3c531ec004925625855f8889950d0d24d8, d36afcfe1ae2c3e6669878e6f9310a04fb6c8af525d17c4ffa8b510459d7dd4d, and 2 more hashes
[File Names / Ransom Note ] Ransom note filename and encrypted file extension observed after encryption – “How To Restore Your Files.txt”, .emario
[Malware / Tool Names ] Identified tooling used in attacks – Mario (encryptor), MrAgent (deployment/management tool)
[File Extensions ] Targeted virtualization and backup file types indicating ESXi/VMware focus – vmdk, vbk (additional targeted extensions include vmsn, vmsd, vmem, vswp, ovf, ova)