MalwareRansomwareExploits 1 CVE

RansomHouse

Also known asjolly_scorpius

RansomHouse is a ransomware-as-a-service (RaaS) operation associated with the threat group Jolly Scorpius. First observed in 2021, it initially used an extortion-only model centered on data theft and threats to leak stolen information, and later evolved to include file encryption as part of a double-extortion model. The operation has publicly listed at least 123 victims on its leak site since December 2021 and has impacted organizations in healthcare, finance, transportation, and government.

RansomHouse targets Windows and Linux, with a notable focus on VMware ESXi environments to maximize disruption by encrypting large numbers of virtual machines simultaneously. Initial access has been reported via spear phishing, social engineering, exploitation of vulnerable systems, Log4Shell, or through initial access brokers. Post-compromise activity described in the content includes use of Cobalt Strike for persistence and Rclone for data exfiltration.

Its tooling includes a management/deployment component called MrAgent and an encryptor called Mario. MrAgent is used to automate ransomware deployment across ESXi environments, maintain persistent C2 connectivity, collect host information, disable the ESXi firewall, and execute commands including stopping vCenter remote management and initiating VM encryption. Mario targets virtualization- and backup-related file types including ova, ovf, vbk, vbm, vib, vmdk, vmem, vmsd, vmsn, and vswp. It drops a ransom note named "How To Restore Your Files.txt" and renames encrypted files with extensions containing "mario"; the content also notes .RH extensions in some reporting.

Recent reporting in the content states that RansomHouse upgraded its encryption from a simpler single-pass approach to a more complex dual-key, two-stage process using a 32-byte primary key and an 8-byte secondary key, along with dynamic chunk processing and sparse encryption. This upgrade was described as a significant escalation that complicates analysis and decryption. The malware is written in Golang according to the provided content.

The content also notes that RansomHouse has been referenced in reporting on Iranian actors partnering with affiliates of the NoEscape, RansomHouse, and AlphV ransomware operations and taking a percentage of ransom payments. In 2025, the content states RansomHouse hit at least five healthcare entities, including a U.S. hospital chain in March and a European clinic in May. A sample of MrAgent associated with this activity is identified in the content with SHA-256: 8189c708706eb7302d7598aeee8cd6bdb048bf1a6dbe29c59e50f0a39fd53973.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2025-55182React2ShellExploited in the wild

"A critical remote code execution (RCE) vulnerability, identified as CVE-2025-55182 and dubbed React2Shell, exists within the React Server Components (RSC) architecture, allowing unauthenticated attackers to execute arbitrary code..."

via f5 communitycommunity.f5.com

MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Impact

1 technique

T1486Data Encrypted for ImpactEvidence2

The actors have partnered with affiliates of the NoEscape, Ransomhouse and AlphV ransomware operations ... In some cases the hackers have worked with ransomware gangs to “lock victim networks and strategize on approaches to extort victims.”

ACTIVITY FEED

Recent activity

17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

17 SOURCESView more in app

the record mediaNews

May 7, 2026

Iranian government hackers using Chaos ransomware as cover, researchers say | The Record from Recorded Future News

Ransomware operation whose affiliates were reportedly partnered with Iranian actors for financially motivated activity.

the record mediaNews

Feb 24, 2026

North Korean state hackers seen using Medusa ransomware in attacks on US, Middle East | The Record from Recorded Future News

Ransomware/extortion operation referenced as having affiliates that partnered with Iranian actors for monetization.

cso onlineNews

Jan 7, 2026

Neue Ransomware-Bedrohung zielt auf deutsche Unternehmen

Ransomhouse is a Ransomware-as-a-Service (RaaS) operation that targets organizations, particularly those using VMware ESXi infrastructure, with advanced dual-key encryption and double extortion tactics (encryption and data theft).

f5 communityNews

Dec 30, 2025

F5 Threat Report - December 31st, 2025 | DevCentral

Ransomware/extortion brand listed among malware observed/associated with React2Shell exploitation activity (no additional campaign detail provided in the content).

+13 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.