RansomHouse Ransomware Upgrades with Double Extortion and Advanced Encryption
RansomHouse, operated by the group known as Jolly Scorpius, has significantly evolved its ransomware-as-a-service (RaaS) platform by integrating a double extortion strategy that combines data theft with encryption. This approach increases pressure on victims by threatening both operational disruption and public data leaks. Since December 2021, RansomHouse has targeted at least 123 organizations across critical sectors such as healthcare, finance, transportation, and government, resulting in substantial financial losses and severe data breaches. The group employs a sophisticated attack chain, with roles divided among operators, attackers, and infrastructure providers, and often gains initial access through spear-phishing or exploiting vulnerable systems. Once inside, attackers use specialized tools to maximize impact, particularly targeting VMware ESXi hypervisors to encrypt large numbers of virtual machines simultaneously, amplifying operational disruption.
Recent technical analysis reveals that RansomHouse has upgraded its encryption methods from a simple, linear approach to a more complex, multi-layered technique, making detection and recovery more challenging for defenders. The toolkit includes the 'MrAgent' management and deployment tool, which automates ransomware deployment and maintains persistent connections to command-and-control servers, and the 'Mario' encryptor, which represents the latest advancement in their arsenal. These upgrades, combined with the double extortion model, have made RansomHouse a formidable threat, prompting security vendors to enhance their protective measures and urging organizations to remain vigilant against this evolving ransomware operation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Unit 42 publishes technical analysis and IOCs for RansomHouse tooling
Palo Alto Networks Unit 42 released a detailed report describing the upgraded Mario encryptor, the MrAgent deployment component, ransom note behavior, file-renaming conventions, and example command-and-control instructions. The report also published SHA-256 indicators for MrAgent and both Mario variants to support threat hunting and detection.
RansomHouse upgrades Mario encryptor to multi-layered dual-key encryption
By December 2025, RansomHouse had upgraded its Mario encryptor from a simpler linear approach to a more complex two-stage scheme using primary and secondary keys, dynamic chunk sizing, and sparse or intermittent encryption. The changes increased speed, reliability, and resistance to analysis and decryption, especially in virtualized environments.
RansomHouse targets at least 123 organizations across critical sectors
Since December 2021, RansomHouse has listed at least 123 victims spanning healthcare, finance, transportation, and government. The campaign notably focused on disruptive environments such as VMware ESXi and virtualization infrastructure.
RansomHouse begins publicly listing victims on its leak site
RansomHouse activity was observed from at least December 2021, when victims began appearing on the group's data leak site. The operation used a double-extortion model, stealing data and encrypting systems to pressure organizations into paying.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Think you can beat ransomware? RansomHouse just made it a lot harder
csoonline.com
Open sourceRansomHouse upgrades encryption with multi-layered data processing
bleepingcomputer.com
Open sourceRansomHouse RaaS Service Upgraded with Double Extortion Strategy that Steals and Encrypt Data
cybersecuritynews.com
Open sourceFrom Linear to Complex: An Upgrade in RansomHouse Encryption
unit42.paloaltonetworks.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Recent Ransomware Threats Targeting Organizations and Critical Sectors
Several new ransomware groups and campaigns have emerged, demonstrating increased sophistication and targeting a range of organizations globally. The SafePay group has established itself as a major threat by operating as a centralized, closed ransomware operation, eschewing the typical Ransomware-as-a-Service (RaaS) model. SafePay employs double extortion tactics, exfiltrating sensitive data before encrypting systems, and leverages rapid attack chains that often move from initial access to full encryption within 24 hours. Their methods include exploiting compromised credentials, misconfigured firewalls, and deploying backdoors for persistence, with a focus on operational security to avoid law enforcement detection. Other notable threats include the CrazyHunter ransomware, which has aggressively targeted healthcare organizations in Taiwan using advanced evasion techniques and multi-stage attacks that exploit Active Directory and propagate via Group Policy Objects. Meanwhile, the Ransomhouse group, operated by Jolly Scorpius, has upgraded its capabilities with a dual-key encryption system and automated attacks on VMware ESXi hypervisors, particularly focusing on German enterprises. These campaigns highlight a trend toward more targeted, technically advanced ransomware operations that prioritize both data theft and rapid system disruption, posing significant risks to critical infrastructure and sensitive industries.
Mar 21, 2026
Maze Ransomware Expanded Double-Extortion Attacks Against Enterprises
The Maze ransomware operation escalated from file encryption to **double extortion**, stealing data from victims and threatening public leaks unless ransom demands were paid. Sophos reported that the group spent roughly a year refining this model, using intrusions against enterprise networks to maximize pressure on organizations already facing operational disruption from ransomware. The campaign helped normalize a tactic that later spread widely across the ransomware ecosystem: combining encryption with data theft and public shaming to force payment. Maze’s activity showed how ransomware groups were evolving into full-scale extortion operations, increasing legal, financial, and reputational risk for affected companies beyond the immediate impact of locked systems.
May 25, 2026
Maze Ransomware Expanded Double-Extortion Tactics and Targeted Intrusions
The **Maze** ransomware operation evolved from earlier exploit-kit activity associated with “ChaCha ransomware” into a prominent double-extortion threat that stole data before encrypting systems and then pressured victims by publishing stolen files on dedicated leak sites. Operators built a public reputation around naming victims, courting media attention, and using data exposure as leverage to increase the likelihood of ransom payments. Maze infections were delivered through multiple channels, including spam campaigns impersonating government tax agencies and later more targeted compromises through **Remote Desktop Protocol (RDP)** access and network exploitation. Sophos reported that the malware used heavy obfuscation, anti-analysis checks, persistence mechanisms, system and network reconnaissance, **HTTP POST** data exfiltration, and file encryption based on **RSA** and **ChaCha20**, while also showing selective behavior such as adjusting demands for home versus corporate systems and easing pressure in some medical-sector cases during COVID-19.
Jan 1, 2026