RansomHouse
RansomHouse, also tracked as Jolly Scorpius and referred to in the content as RansomHouse Group, is a financially motivated ransomware/extortion operation described in multiple sources as a ransomware-as-a-service (RaaS) group that emerged in late 2021. The group uses double extortion, combining data theft with encryption and threats to leak stolen data, although reporting also notes that RansomHouse has at times operated in an extortion-only model without encryption. It presents itself as a “professional mediator community” and often pressures victims through its Tor-based leak site and negotiation portals, including use of labels such as “Evidence Depends on You.” The content states that RansomHouse has targeted organizations across healthcare, government, manufacturing, technology, transportation, finance, retail, and critical infrastructure. Mentioned victims or claimed victims include Mission Community Hospital/Deanco Healthcare, AMD, Trellix, IFX Networks-related Colombian government disruptions, Irec SAS/Vivaticket, Luxshare, Askul, Warren County Sheriff’s Office (KY), and Greater Pittsburgh Orthopaedic Associates. The group has also been linked in reporting to attacks affecting European cultural institutions through Vivaticket’s French subsidiary and to prior activity against Colombian healthcare provider Keralty. Tactics and techniques directly mentioned in the content include exploitation of exposed services, weak credentials, phishing, vulnerable remote access systems, and in one reported case attacker-claimed exploitation of Citrix remote access software and VMware ESXi infrastructure. RansomHouse is repeatedly associated with targeting VMware ESXi environments to maximize impact across virtual machines. The group is described as exploiting weak domain credentials and backup-related access, exfiltrating data to cloud services such as MEGA and put.io, and using CDN infrastructure for exfiltration in some cases. Reporting also states that RansomHouse has been observed using commercial EDR killers sourced from underground marketplaces. Its tooling, as described in the content, includes the Mario/Mario ESXi ransomware and the MrAgent deployment/management tool. Mario ESXi is described as sharing lineage or code with the leaked Babuk source code and as targeting virtualization and backup-related file types. MrAgent is described as a C2-driven tool used to automate ransomware deployment at scale, especially across ESXi hypervisors, including collecting host and VM information, disabling the ESXi firewall, executing commands, and orchestrating encryption. The content also describes an upgraded Mario encryptor with a more complex two-stage encryption design. The content notes that RansomHouse has been observed both as a direct extortion actor and in broader ransomware ecosystem relationships. One source says 8Base was reported to be linked to RansomHouse, and another states Iranian actors were known to work as affiliates with Russian ransomware gangs including NoEscape, RansomHouse, and ALPHV/BlackCat. The content also states that RansomHouse has collaborated with or been associated in reporting with other ransomware actors in the broader ecosystem. Only high-confidence details from the provided content indicate that RansomHouse is a criminal, financially motivated extortion/ransomware operation rather than a confirmed nation-state actor.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Capital Goods
Where they target
Geographies tied to known operations.
- 🇨🇳 China
Tradecraft
28 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
4 malware families attributed to this actor across reporting.
Associated vulnerabilities
2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.
CVE-2018-10562 8.9 Dasan GPON Home Routers LockBit, RansomHouse, Crypto24 Link
Based on their 90-day average detection rates, CVE-2019-12780 leads the list... CVE-2019-12780 9.8 Belkin Wemo Smart Plug LockBit, RansomHouse No
Observables
2 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Claimed responsibility for the cyberattack against Mission Community Hospital and stated that it exfiltrated approximately 2.5 TB of data containing sensitive patient information.
Financially motivated cyber extortion group that emerged in late 2021. It is described as focusing initially on stealing data and extorting victims rather than encrypting systems, and has targeted large organizations worldwide including healthcare providers, retailers, government agencies, technology firms, and critical infrastructure operators.
Claimed responsibility for unauthorized access to part of Trellix's source code repository and used leak-site pressure tactics to push the victim into negotiations before public release of stolen data.
Ransomware and data exposure activity targeting Chinese organizations, including a major manufacturer; also listed among notable ransomware actors affecting China.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.