Skip to content
Ransomware group

RansomHouse

RansomHouse is a ransomware-as-a-service (RaaS) operation associated with the threat group Jolly Scorpius.

Profile source: Mallory opens in a new tab

RansomHouse

Family profile

RansomHouse is a ransomware-as-a-service (RaaS) operation associated with the threat group Jolly Scorpius. First observed in 2021, it initially used an extortion-only model centered on data theft and threats to leak stolen information, and later evolved to include file encryption as part of a double-extortion model. The operation has publicly listed at least 123 victims on its leak site since December 2021 and has impacted organizations in healthcare, finance, transportation, and government.

RansomHouse targets Windows and Linux, with a notable focus on VMware ESXi environments to maximize disruption by encrypting large numbers of virtual machines simultaneously. Initial access has been reported via spear phishing, social engineering, exploitation of vulnerable systems, Log4Shell, or through initial access brokers. Post-compromise activity described in the content includes use of Cobalt Strike for persistence and Rclone for data exfiltration.

Its tooling includes a management/deployment component called MrAgent and an encryptor called Mario. MrAgent is used to automate ransomware deployment across ESXi environments, maintain persistent C2 connectivity, collect host information, disable the ESXi firewall, and execute commands including stopping vCenter remote management and initiating VM encryption. Mario targets virtualization- and backup-related file types including ova, ovf, vbk, vbm, vib, vmdk, vmem, vmsd, vmsn, and vswp. It drops a ransom note named "How To Restore Your Files.txt" and renames encrypted files with extensions containing "mario"; the content also notes .RH extensions in some reporting.

Recent reporting in the content states that RansomHouse upgraded its encryption from a simpler single-pass approach to a more complex dual-key, two-stage process using a 32-byte primary key and an 8-byte secondary key, along with dynamic chunk processing and sparse encryption. This upgrade was described as a significant escalation that complicates analysis and decryption. The malware is written in Golang according to the provided content.

The content also notes that RansomHouse has been referenced in reporting on Iranian actors partnering with affiliates of the NoEscape, RansomHouse, and AlphV ransomware operations and taking a percentage of ransom payments. In 2025, the content states RansomHouse hit at least five healthcare entities, including a U.S. hospital chain in March and a European clinic in May. A sample of MrAgent associated with this activity is identified in the content with SHA-256: 8189c708706eb7302d7598aeee8cd6bdb048bf1a6dbe29c59e50f0a39fd53973.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Recent claims

All published claims ↗

Exploited software

Vulnerabilities linked to RansomHouse

2 CVEs

MITRE ATT&CK

RansomHouse in ATT&CK

1 distinct techniques

Reporting

Research mentioning RansomHouse

May 7
The Record Media

Iranian government hackers using Chaos ransomware as cover, researchers say | The Record from Recorded Future News

The FBI previously said it witnessed Iranian actors partnering with affiliates of the NoEscape, Ransomhouse and AlphV ransomware operations — eventually taking a percentage of ransom payments.

Feb 24
The Record Media

North Korean state hackers seen using Medusa ransomware in attacks on US, Middle East | The Record from Recorded Future News

The FBI previously said it witnessed Iranian actors partnering with affiliates of the NoEscape, Ransomhouse and AlphV ransomware operations ...

Jan 7
Cso Online

Neue Ransomware-Bedrohung zielt auf deutsche Unternehmen

Der Ransomware-Dienst Ransomhouse nutzt jetzt eine komplexe Dual-Schlüssel-Verschlüsselung und automatisierte Angriffe auf VMware ESXi.

Dec 30
F5 Community

F5 Threat Report - December 31st, 2025 | DevCentral

Threat Details and IOCs Malware: ... RansomHouse ...

Dec 29
Polyswarm

RansomHouse Upgrades Its Encryption

The RansomHouse ransomware-as-a-service operation, associated with the Jolly Scorpius group, has enhanced its encryption capabilities in recent samples.

Dec 28
Security Affairs

security-affairs-newsletter-round-556-by-pierluigi-paganini-international-edition

From Linear to Complex: An Upgrade in RansomHouse Encryption

Dec 28
Securityaffairs

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 77

From Linear to Complex: An Upgrade in RansomHouse Encryption

Dec 22
The Hacker News

⚡ Weekly Recap: Firewall Exploits, AI Data Theft, Android Hacks, APT Attacks, Insider Leaks & More

The RansomHouse (aka Jolly Scorpius) ransomware group has upgraded its file encryption process to use two different encryption keys to encrypt files as part of their attacks in what has been described as a significant escalation and "concerning trajectory" in ransomware development.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.