RansomHouse am See

RansomHouse operates as a Ransomware-as-a-Service group that uses a tool called MrAgent to automate ransomware deployment across many hypervisors. The report outlines their double-extortion model, Tor-based negotiation platform, and the technical details of MrAgent that enable rapid, large-scale infections. #RansomHouse #MrAgent #MarioESXi #Babuk #Tor #Citrix #VMwareESXi

Keypoints

RansomHouse is identified as a Ransomware-as-a-Service (RaaS) group targeting Windows and Linux hypervisors with a tool named MrAgent to automate ransomware deployments at scale.
MrAgent is a binary designed to run on hypervisors, autonomously connecting to C2, gathering host info, disabling defenses, and orchestrating ransomware deployment across many VMs.
The initial access chain included an exploit in Citrix remote access software and compromises of weak domain credentials.
Ransom negotiation takes place on a Tor-based chat platform with unique victim links, English/Chinese chat, and a countdown to pressure payment.
Exfiltrated data was moved to cloud storage (MEGA, put.io) and the operation involved a two-stage ransom payment around $1.25 million, followed by data decryption tooling.
In 2023 US victims and the Industrials/Technology sectors were heavily impacted, with a shift toward mid-size companies and North American targets.

MITRE Techniques

[T1190] Exploit Public-Facing Application – Initial compromise through an exploit in Citrix. ‘Initial compromise through an exploit in Citrix’
[T1078] Valid Accounts – Gaining control of weak domain user accounts. ‘Valid Accounts’ and ‘Gaining control of weak domain user accounts’
[T1021.001] SMB/Windows Admin Shares – Lateral Movement. ‘Exploiting weak monitoring and analysis systems, the group was able to gain unauthorized access via SMB/RDP’
[T1021.002] Remote Services – Lateral Movement. ‘Exploiting weak monitoring and analysis systems, the group was able to gain unauthorized access via SMB/RDP’
[T1567.002] Exfiltration to Cloud Storage – Data exfiltration via CDN/cloud storage. ‘Utilized CDN servers for data exfiltration during attacks’
[T1560.001] Archive Collected Data – Data compression/archival before exfiltration. ‘Collected data was compressed’
[T1059.004] Unix Shell – Use of Unix/esxcli commands to gather system information and manipulate firewall settings. ‘Unix commands such as and esxcli commands to gather system information and manipulate firewall settings’
[T1016] System Network Configuration Discovery – Retrieve MAC/IP addresses. ‘Retrieves MAC and IP address of the compromised system using esxcli commands and ioctl calls’
[T1562.004] Impair Defenses: Disable Firewall – Disable ESXi firewall. ‘Disable the ESXi firewall by executing the command “esxcli network firewall set –enabled false”’
[T1090] Proxy – Tor-based communications for C2. ‘Tor-based chat room’
[T1583] Acquire Infrastructure: Server – Acquire infrastructure: server. ‘Acquire Infrastructure: Server’
[T1071.001] Application Layer Protocol – C2 using JSON messages. ‘Messages to and from the command & control server are transmitted as JSON encoded strings with a zero-byte terminator’

Indicators of Compromise

[Hash] MrAgent – 8189c708706eb7302d7598aeee8cd6bdb048bf1a6dbe29c59e50f0a39fd53973, bfc9b956818efe008c2dbf621244b6dc3de8319e89b9fa83c9e412ce70f82f2c
[Hash] Mario – 3934b3da6bad0b4a28483e25e7bab919d7ed31f2f51cca22c56535b9f8183a0e, afe398e95a75beb4b0508c1bbf7268e8607d03776af0b68386d1e2058b374501
[IP] 64.52.80.118 – Mega Pro account login used during exfiltration
[IP] 192.168.56.10 – Example IP address reported in C2/status exchange
[BTC Address] 1MmkNa1gRUmVSocZic8wJhehef8NW4GzDZ
[BTC Address] 1GqGTYE2a9c14jegP1aK9Qj58gYyyt7Dxu
[BTC Address] bc1q93xvcqux2xl4n03985lyrh8w55et8tt60fcrmy
[BTC Address] 17voYysEw5NJbbT5TCQqsaTwbv4ZhmTPLa
[File] test-flat.vmdk
[File] test.vmdk
[File] test.vmsd
[Credential] [email protected]