Regions Targeted: Not specified
Related Families: MrAgent, Mario
Key Takeaways
The Details
The RansomHouse ecosystem centers on two primary tools: MrAgent and Mario. MrAgent serves as a management utility that establishes persistent C2 connections on compromised ESXi hosts. It executes system commands to gather host details, disable firewalls, and orchestrate further actions. Examples include retrieving hostnames, listing network interfaces, and modifying welcome messages on the hypervisor interface. This tool maintains runtime state through synchronized JSON structures and responds to remote instructions, such as deploying the encryptor or executing arbitrary commands.
Once deployed via MrAgent, the Mario encryptor targets virtualization-related files within specified directories. It focuses on extensions associated with virtual machines and backups. To prevent corruption from repeated encryption, Mario excludes files containing specific strings in their names. Upon completion, it appends extensions, including .emario, to encrypted files and generates a ransom note with recovery instructions.
Earlier versions of Mario applied a single-pass encryption loop with fixed chunk sizes, processing files sequentially up to a defined threshold. In contrast, the upgraded variant implements a dual-key scheme. It generates random values for a primary 32-byte key and a secondary 8-byte key, applying separate transformation passes. This layered approach incorporates optimized buffer management within a reduced stack frame, enabling intermediate storage for headers and transformation data.
File handling in the newer samples adopts dynamic chunk sizing with calculations for offsets and variable segment lengths, supporting processing up to 8GB thresholds. It incorporates sparse techniques, encrypting selective blocks rather than entire files linearly. Progress indicators display during chunk operations, and detailed statistics report encrypted volumes, skipped items, and overall totals upon completion.
These enhancements collectively impede static analysis through non-linear processing and complex logic flows. The modular design of RansomHouse, separating operators who maintain infrastructure from affiliates handling intrusions, supports targeted disruptions in virtualized environments. Affiliates prioritize ESXi platforms to simultaneously affect multiple virtual machines, amplifying operational impact.
The Jolly Scorpius group has publicly listed over 120 victims on its data leak site since late 2021, affecting organizations across sensitive industries and resulting in substantial disruptions. This encryption advancement indicates ongoing investment in technical sophistication, potentially influencing broader ransomware trends and necessitating robust detection measures focused on behavioral patterns.
IOCs
PolySwarm has a sample of MrAgent, which is associated with this activity.
8189c708706eb7302d7598aeee8cd6bdb048bf1a6dbe29c59e50f0a39fd53973
Click here to view all samples of MrAgent in our PolySwarm portal.
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.