RansomHouse
RansomHouse is a ransomware-as-a-service (RaaS) operation associated with the threat group Jolly Scorpius.
Profile source: Mallory opens in a new tabRansomHouse
Family profile
RansomHouse is a ransomware-as-a-service (RaaS) operation associated with the threat group Jolly Scorpius. First observed in 2021, it initially used an extortion-only model centered on data theft and threats to leak stolen information, and later evolved to include file encryption as part of a double-extortion model. The operation has publicly listed at least 123 victims on its leak site since December 2021 and has impacted organizations in healthcare, finance, transportation, and government.
RansomHouse targets Windows and Linux, with a notable focus on VMware ESXi environments to maximize disruption by encrypting large numbers of virtual machines simultaneously. Initial access has been reported via spear phishing, social engineering, exploitation of vulnerable systems, Log4Shell, or through initial access brokers. Post-compromise activity described in the content includes use of Cobalt Strike for persistence and Rclone for data exfiltration.
Its tooling includes a management/deployment component called MrAgent and an encryptor called Mario. MrAgent is used to automate ransomware deployment across ESXi environments, maintain persistent C2 connectivity, collect host information, disable the ESXi firewall, and execute commands including stopping vCenter remote management and initiating VM encryption. Mario targets virtualization- and backup-related file types including ova, ovf, vbk, vbm, vib, vmdk, vmem, vmsd, vmsn, and vswp. It drops a ransom note named "How To Restore Your Files.txt" and renames encrypted files with extensions containing "mario"; the content also notes .RH extensions in some reporting.
Recent reporting in the content states that RansomHouse upgraded its encryption from a simpler single-pass approach to a more complex dual-key, two-stage process using a 32-byte primary key and an 8-byte secondary key, along with dynamic chunk processing and sparse encryption. This upgrade was described as a significant escalation that complicates analysis and decryption. The malware is written in Golang according to the provided content.
The content also notes that RansomHouse has been referenced in reporting on Iranian actors partnering with affiliates of the NoEscape, RansomHouse, and AlphV ransomware operations and taking a percentage of ransom payments. In 2025, the content states RansomHouse hit at least five healthcare entities, including a U.S. hospital chain in March and a European clinic in May. A sample of MrAgent associated with this activity is identified in the content with SHA-256: 8189c708706eb7302d7598aeee8cd6bdb048bf1a6dbe29c59e50f0a39fd53973.
Ransomware.live
Operational record
Ransomware.live
Recent claims
Exploited software
Vulnerabilities linked to RansomHouse
2 CVEsMITRE ATT&CK
RansomHouse in ATT&CK
1 distinct techniquesReporting
Research mentioning RansomHouse
Iranian government hackers using Chaos ransomware as cover, researchers say | The Record from Recorded Future News
The FBI previously said it witnessed Iranian actors partnering with affiliates of the NoEscape, Ransomhouse and AlphV ransomware operations — eventually taking a percentage of ransom payments.
North Korean state hackers seen using Medusa ransomware in attacks on US, Middle East | The Record from Recorded Future News
The FBI previously said it witnessed Iranian actors partnering with affiliates of the NoEscape, Ransomhouse and AlphV ransomware operations ...
Neue Ransomware-Bedrohung zielt auf deutsche Unternehmen
Der Ransomware-Dienst Ransomhouse nutzt jetzt eine komplexe Dual-Schlüssel-Verschlüsselung und automatisierte Angriffe auf VMware ESXi.
F5 Threat Report - December 31st, 2025 | DevCentral
Threat Details and IOCs Malware: ... RansomHouse ...
RansomHouse Upgrades Its Encryption
The RansomHouse ransomware-as-a-service operation, associated with the Jolly Scorpius group, has enhanced its encryption capabilities in recent samples.
security-affairs-newsletter-round-556-by-pierluigi-paganini-international-edition
From Linear to Complex: An Upgrade in RansomHouse Encryption
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 77
From Linear to Complex: An Upgrade in RansomHouse Encryption
⚡ Weekly Recap: Firewall Exploits, AI Data Theft, Android Hacks, APT Attacks, Insider Leaks & More
The RansomHouse (aka Jolly Scorpius) ransomware group has upgraded its file encryption process to use two different encryption keys to encrypt files as part of their attacks in what has been described as a significant escalation and "concerning trajectory" in ransomware development.