Upgraded RansomHouse RaaS platform examined

Threat group Jolly Scorpius has integrated double extortion capabilities into its updated RansomHouse ransomware-as-a-service platform, Cyber Security News reports. VMware ESXi hypervisors have been primarily targeted by RansomHouse to facilitate widespread virtual machine encryption activities, with the RaaS toolkit's MrAgent component allowing command-and-control server connections and automated ransomware delivery while the refreshed Mario encryptor facilitates a two-stage encryption process that hinders decryption by leveraging primary and secondary keys, according to Palo Alto Networks Unit 42 researchers. Analysis is also further complicated by the updated encryptor, which targets VMDK, VMSN, VSWP, and other files using virtualization-specific extensions, and Veeam backups, through the utilization of limited encryption methods, with Mario later showing encrypted data volumes, file counts, processing results, and other statistics. With the findings showing ransomware operations' continuously evolving capabilities, network defenders have been urged to implement more sophisticated detection and response methods.