RansomHouse Automated Attacks Using Tool Dubbed MrAgent

The RansomHouse group recognized as a Ransomware-as-a-Service (RaaS), surfaced in the latter part of 2021 and has been actively utilizing ransomware variants to compromise corporate networks.

RansomHouse ransomware employs phishing and spear phishing emails as its primary attack vectors. Additionally, they leverage third-party frameworks, such as Vatet Loader, Metasploit, and Cobalt Strike to enhance their attack capabilities.


The group extorts its victims twice: first by encrypting their files and demanding a ransom, and then by naming and shaming non-paying victims on their site, where they also disclose the victim’s stolen data.

Recently, the group has been identified using MrAgent, a newly developed tool that facilitates the continuous and widespread distribution of ransomware.

Live Account Takeover Attack Simulation

How do Hackers Bypass 2FA?

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks .

“Their tactics, techniques, and procedures (TTPs) show a mature and sophisticated level of execution, leveraging content delivery network (CDN) servers for exfiltration, and utilizing a Tor-based chat room for victim negotiations”, Trellix shared with Cyber Security News.

“This group is identified for using a unique ransomware variant, dubbed Mario ESXi, along with MrAgent, to target both Windows and Linux-based systems.”

Impacted Sectors
Impacted Sectors

How MrAgent Used to Deploy Malware?

MrAgent is a binary designed to run on hypervisors with the express intention of automating and tracking ransomware deployment across big settings containing many hypervisor systems.

The binary connects to a collection of command and control servers, which must be specified as a command-line argument. Upon initialization, the agent generates a unique system host ID, obtains the local IP address, and turns down the system’s firewall.

Further, the binary will then initiate an infinite loop that will send out a heartbeat, connect to each command and control server in a round-robin manner, and wait for commands.

The binary can plan and monitor the release of a ransomware binary. The binary also has extra capabilities to retrieve information about the hypervisor environment remotely, such as the virtual machines and their properties executing on the hypervisor.

Additionally, it can be used to drop all active (non-root) SSH sessions to the system, remove files, modify the welcome message shown on the hypervisor’s monitor, and run commands locally on the machine.

Researchers noticed an increase in RansomHouse group’s attacks from just one in 2022 to eleven in 2023 against firms with yearly revenues between $10M and $50M. The same gains apply to companies with revenue ranging from $1 million to $500 million, indicating a shift in focus toward medium-sized organizations.

According to Malwarebytes researchers, the ransomware groups have established communication channels, including a Telegram account and a leak site, to interact with victims, journalists, and individuals interested in monitoring their activities, similar to other ransomware groups.

Telegram account (Source : Malwarebytes)

Defenders are, therefore, urged to observe how threat actors operate and to tailor their security perimeter to both anticipate and respond to such attacks.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.