From Linear to Complex: An Upgrade in RansomHouse Encryption
Essential information
- Published
- 17/12/2025 14:28
- Modified
- 21/12/2025 19:34
- Tags
- 2025-12-17 encryption esxi mario mragent ransomhouse ransomware-as-a-service virtualization
- Related entities
- 4 observables, 1 intrusion sets (apt), 12 techniques (mitre), 4 others
Description
RansomHouse, a ransomware-as-a-service operation run by Jolly Scorpius, has undergone a significant upgrade in encryption methods. The attack chain involves operators developing tools, attackers deploying ransomware, and victims being targeted. Two key components, MrAgent and Mario, are used to compromise virtualized environments. MrAgent manages deployments, while Mario encrypts files. The upgraded version of Mario features a more complex two-stage encryption process, improved memory management, and dynamic file processing. These enhancements make the ransomware more efficient and resilient to analysis, signaling a concerning trend in ransomware development that could influence future variants.