The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

RansomHouse Upgrades Its Encryption

Dec 29, 2025 12:26:13 PM / by The Hivemind

RANSOMHOUSE2025Verticals Targeted:  Healthcare, Finance, Transportation, Government
Regions Targeted: Not specified
Related Families: MrAgent, Mario

Executive Summary

The RansomHouse ransomware-as-a-service operation has enhanced its encryption capabilities in recent samples. This development shifts from a basic single-pass method to a sophisticated multi-layered approach, complicating recovery efforts for affected organizations.

Key Takeaways

  • The RansomHouse ransomware-as-a-service operation, associated with the Jolly Scorpius group, has enhanced its encryption capabilities in recent samples.
  • Recent Mario encryptor versions introduce a two-stage encryption process using a 32-byte primary key and an 8-byte secondary key.
  • The upgraded variant employs dynamic chunk processing and sparse encryption techniques on targeted files.
  • MrAgent facilitates automated deployment and persistence on VMware ESXi hypervisors, enabling large-scale virtual machine encryption.

The Details

Palo Alto’s Unit 42 recently observed a notable evolution in the RansomHouse ransomware-as-a-service platform, operated by the group they track as Jolly Scorpius. Recent analysis of associated binaries reveals substantial improvements to the encryption routine employed by the Mario encryptor component. This upgrade transitions the process from a straightforward linear transformation to a more intricate, multi-stage mechanism designed to heighten resilience against decryption attempts.

The RansomHouse ecosystem centers on two primary tools: MrAgent and Mario. MrAgent serves as a management utility that establishes persistent C2 connections on compromised ESXi hosts. It executes system commands to gather host details, disable firewalls, and orchestrate further actions. Examples include retrieving hostnames, listing network interfaces, and modifying welcome messages on the hypervisor interface. This tool maintains runtime state through synchronized JSON structures and responds to remote instructions, such as deploying the encryptor or executing arbitrary commands.

Once deployed via MrAgent, the Mario encryptor targets virtualization-related files within specified directories. It focuses on extensions associated with virtual machines and backups. To prevent corruption from repeated encryption, Mario excludes files containing specific strings in their names. Upon completion, it appends extensions, including .emario, to encrypted files and generates a ransom note with recovery instructions.

Earlier versions of Mario applied a single-pass encryption loop with fixed chunk sizes, processing files sequentially up to a defined threshold. In contrast, the upgraded variant implements a dual-key scheme. It generates random values for a primary 32-byte key and a secondary 8-byte key, applying separate transformation passes. This layered approach incorporates optimized buffer management within a reduced stack frame, enabling intermediate storage for headers and transformation data.

File handling in the newer samples adopts dynamic chunk sizing with calculations for offsets and variable segment lengths, supporting processing up to 8GB thresholds. It incorporates sparse techniques, encrypting selective blocks rather than entire files linearly. Progress indicators display during chunk operations, and detailed statistics report encrypted volumes, skipped items, and overall totals upon completion.

These enhancements collectively impede static analysis through non-linear processing and complex logic flows. The modular design of RansomHouse, separating operators who maintain infrastructure from affiliates handling intrusions, supports targeted disruptions in virtualized environments. Affiliates prioritize ESXi platforms to simultaneously affect multiple virtual machines, amplifying operational impact.

The Jolly Scorpius group has publicly listed over 120 victims on its data leak site since late 2021, affecting organizations across sensitive industries and resulting in substantial disruptions. This encryption advancement indicates ongoing investment in technical sophistication, potentially influencing broader ransomware trends and necessitating robust detection measures focused on behavioral patterns.

IOCs

PolySwarm has a sample of MrAgent, which is associated with this activity. 

 

8189c708706eb7302d7598aeee8cd6bdb048bf1a6dbe29c59e50f0a39fd53973


Click here to view all samples of MrAgent in our PolySwarm portal.

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, double extortion, Mario Encryptor, MrAgent Tool, VMware hypervisor, RansomHouse Ransomware, ESXi Targeting, ransomware upgrade, encryption evolution

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More