RansomHouse Ransomware Upgrades with Double Extortion and Advanced Encryption
RansomHouse, operated by the group known as Jolly Scorpius, has significantly evolved its ransomware-as-a-service (RaaS) platform by integrating a double extortion strategy that combines data theft with encryption. This approach increases pressure on victims by threatening both operational disruption and public data leaks. Since December 2021, RansomHouse has targeted at least 123 organizations across critical sectors such as healthcare, finance, transportation, and government, resulting in substantial financial losses and severe data breaches. The group employs a sophisticated attack chain, with roles divided among operators, attackers, and infrastructure providers, and often gains initial access through spear-phishing or exploiting vulnerable systems. Once inside, attackers use specialized tools to maximize impact, particularly targeting VMware ESXi hypervisors to encrypt large numbers of virtual machines simultaneously, amplifying operational disruption.
Recent technical analysis reveals that RansomHouse has upgraded its encryption methods from a simple, linear approach to a more complex, multi-layered technique, making detection and recovery more challenging for defenders. The toolkit includes the 'MrAgent' management and deployment tool, which automates ransomware deployment and maintains persistent connections to command-and-control servers, and the 'Mario' encryptor, which represents the latest advancement in their arsenal. These upgrades, combined with the double extortion model, have made RansomHouse a formidable threat, prompting security vendors to enhance their protective measures and urging organizations to remain vigilant against this evolving ransomware operation.
Timeline
Dec 17, 2025
Unit 42 publishes technical analysis and IOCs for RansomHouse tooling
Palo Alto Networks Unit 42 released a detailed report describing the upgraded Mario encryptor, the MrAgent deployment component, ransom note behavior, file-renaming conventions, and example command-and-control instructions. The report also published SHA-256 indicators for MrAgent and both Mario variants to support threat hunting and detection.
Dec 17, 2025
RansomHouse upgrades Mario encryptor to multi-layered dual-key encryption
By December 2025, RansomHouse had upgraded its Mario encryptor from a simpler linear approach to a more complex two-stage scheme using primary and secondary keys, dynamic chunk sizing, and sparse or intermittent encryption. The changes increased speed, reliability, and resistance to analysis and decryption, especially in virtualized environments.
Dec 17, 2025
RansomHouse targets at least 123 organizations across critical sectors
Since December 2021, RansomHouse has listed at least 123 victims spanning healthcare, finance, transportation, and government. The campaign notably focused on disruptive environments such as VMware ESXi and virtualization infrastructure.
Dec 1, 2021
RansomHouse begins publicly listing victims on its leak site
RansomHouse activity was observed from at least December 2021, when victims began appearing on the group's data leak site. The operation used a double-extortion model, stealing data and encrypting systems to pressure organizations into paying.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Affected Products
Sources
Related Stories
Recent Ransomware Threats Targeting Organizations and Critical Sectors
Several new ransomware groups and campaigns have emerged, demonstrating increased sophistication and targeting a range of organizations globally. The SafePay group has established itself as a major threat by operating as a centralized, closed ransomware operation, eschewing the typical Ransomware-as-a-Service (RaaS) model. SafePay employs double extortion tactics, exfiltrating sensitive data before encrypting systems, and leverages rapid attack chains that often move from initial access to full encryption within 24 hours. Their methods include exploiting compromised credentials, misconfigured firewalls, and deploying backdoors for persistence, with a focus on operational security to avoid law enforcement detection. Other notable threats include the CrazyHunter ransomware, which has aggressively targeted healthcare organizations in Taiwan using advanced evasion techniques and multi-stage attacks that exploit Active Directory and propagate via Group Policy Objects. Meanwhile, the Ransomhouse group, operated by Jolly Scorpius, has upgraded its capabilities with a dual-key encryption system and automated attacks on VMware ESXi hypervisors, particularly focusing on German enterprises. These campaigns highlight a trend toward more targeted, technically advanced ransomware operations that prioritize both data theft and rapid system disruption, posing significant risks to critical infrastructure and sensitive industries.
1 months ago
Gentlemen Ransomware Global Double Extortion Campaigns
A new ransomware group known as **Gentlemen** has launched a series of attacks targeting organizations in at least 17 countries, employing a double extortion model that involves both data exfiltration and encryption. The ransomware, developed in the Go programming language, leverages advanced techniques such as Group Policy Object (GPO) manipulation and Bring Your Own Vulnerable Driver (BYOVD) tactics to disable security defenses and propagate laterally within corporate networks. Industries affected include healthcare, manufacturing, and insurance, with the group specifically focusing on medium to large enterprises. The malware requires a specific `--password` argument to execute, serving as an anti-analysis measure, and offers operators various command-line options to control its behavior and evade detection. Analysts have identified Gentlemen as one of the most active emerging ransomware threats of 2025, with rapid expansion across North America, South America, and the Middle East. The group’s sophisticated evasion and propagation methods, combined with its aggressive targeting of sensitive data, underscore the urgent need for enhanced monitoring and defensive measures in enterprise environments. The campaign’s use of double extortion ensures that even organizations with robust backup strategies remain vulnerable to data leaks and reputational damage if ransoms are not paid.
1 months ago
Ransomware Recovery Challenges and the Shift to Targeted Attacks
Ransomware attacks continue to pose a significant threat to organizations, with recent surveys indicating that paying the ransom does not guarantee successful data recovery. According to Hiscox’s Cyber Readiness Report, only 60% of companies that paid a ransom were able to recover all or part of their data, while 40% lost their data despite payment. The technical sophistication of ransomware operators varies, with established groups more likely to provide functional decryptors, but many victims still face flawed encryption or unresponsive attackers. Additionally, the frequency of ransomware incidents has surged, with reports showing a near tripling of cases year-over-year in early 2025, and a majority of victims experiencing data theft even after paying ransoms. The ransomware landscape has evolved from high-volume, opportunistic attacks to a "big game hunting" model, where adversaries selectively target organizations with the most to lose and the greatest ability to pay. New criminal syndicates such as Spoiled Scorpius (RansomHub) and Howling Scorpius (Akira) are conducting sophisticated, long-term campaigns against high-value targets, often employing multi-extortion tactics that combine data encryption with threats of public exposure. This strategic shift has transformed ransomware from a purely IT issue into a critical business continuity threat, requiring organizations to adopt new defensive strategies and prepare for more calculated, high-impact attacks.
1 weeks ago