RansomHouse
A data extortion and ransomware-as-a-service (RaaS) operation active since December 2021 that initially positioned itself as a pure data-theft group — stealing sensitive information and demanding payment without encrypting systems. RansomHouse has since evolved into a full double-extortion operation with upgraded multi-layered encryption, a modular attack chain separating operators from affiliates, and at least 123 confirmed victims across healthcare, finance, transportation, and government sectors. The group publicly blames its victims for poor security practices and maintains connections to other criminal operations including BianLian, Dark Angels, and Iranian state-linked access brokers.
Overview
RansomHouse emerged in December 2021 with an unusual public posture: rather than operating as a traditional ransomware gang, the group positioned itself as a collective of security researchers punishing organizations for poor cybersecurity practices. Their data leak site states that victims are the true "culprits" for leaving their networks unsecured. This framing is, of course, a rhetorical cover for straightforward criminal extortion — but it has been an effective branding strategy within the cybercrime ecosystem.
Initially, RansomHouse operated as a pure data-extortion group, stealing sensitive data and demanding payment without ever encrypting victim systems. This approach was stealthier than traditional ransomware because the absence of encryption meant fewer alarms were triggered, potentially extending dwell time. If victims refused to pay, their data was published on the group's Tor-based leak site or sold to other criminal buyers.
By late 2024 and into 2025, the group evolved significantly. Palo Alto Networks Unit 42 (which tracks the group as Jolly Scorpius) documented an upgrade from a simple single-phase encryption routine to a multi-layered, dual-key encryption architecture using a tool called "Mario" (also known as MarioLocker). This encryptor, derived from the Babuk ransomware lineage, generates both a 32-byte primary key and an 8-byte secondary key, executing separate encryption passes that interlock — making recovery without payment significantly harder. The group now operates a full double-extortion model: stealing data first, then encrypting systems, and threatening to publish if victims refuse to pay.
RansomHouse maintains a modular operational structure separating operators (who build tools, manage the leak site, and handle cryptocurrency) from attackers/affiliates (who conduct initial access, lateral movement, and deployment). This RaaS model allows affiliates to switch between different ransomware services, and researchers have observed connections between RansomHouse operators and groups including BianLian, Dark Angels, Stormous, and Snatch. Iranian state-linked group Pioneer Kitten has also been documented providing initial access to RansomHouse as part of a broader arrangement with ransomware operations.
RansomHouse affiliates specifically target VMware ESXi infrastructure with MarioLocker variants designed for hypervisor environments. Organizations running virtualized infrastructure should treat ESXi hardening as a priority defensive measure against this actor.
Target Profile
RansomHouse targets a broad range of sectors, with a clear pattern of hitting organizations holding high-value data that maximizes extortion leverage.
- Healthcare: A recurring target. In 2025, RansomHouse hit at least five healthcare entities including Greater Pittsburgh Orthopaedic Associates (56,954 patients affected), North East Medical Services (91,513 patients via third-party UnitedLayer), and the multinational healthcare provider Keralty (6 million patients, breached 2022). Healthcare data commands premium prices because of its regulatory sensitivity.
- Manufacturing and technology: High-profile targets include AMD (450GB of financial data and research stolen in 2022) and Luxshare Precision Industry (proprietary CAD files, PCB designs, and engineering data exfiltrated late 2025). The group specifically seeks proprietary engineering and production data with downstream supply chain value.
- Government and law enforcement: Targets include the government of Vanuatu (December 2022) and the Warren County Sheriff's Office in Kentucky (December 2025), where the group published evidence packs including weapons license data.
- Finance and critical infrastructure: Financial institutions, transportation companies, and critical infrastructure operators round out the target profile. The group is opportunistic — targeting any organization with valuable data and weak defenses.
- Geographic scope: Primarily North America and Europe, with confirmed victims also in Asia-Pacific, Latin America, and Africa. Recent victims in early 2026 span manufacturing firms across Europe and Asia.
Tactics, Techniques & Procedures
| mitre id | technique | description |
|---|---|---|
| T1190 | Exploit Public-Facing Application | Primary initial access via unpatched vulnerabilities including Citrix NetScaler, Palo Alto GlobalProtect (CVE-2024-3400), and Log4Shell. Also uses initial access brokers including Iranian state-linked Pioneer Kitten. |
| T1566 | Phishing | Spearphishing emails used to deliver initial payloads. Vatet Loader and other commodity loaders deployed through phishing campaigns to establish initial footholds. |
| T1059 | Command and Scripting Interpreter | Post-exploitation via Cobalt Strike beacons and Metasploit framework. Both used for persistence, lateral movement, and command execution within victim environments. |
| T1003 | OS Credential Dumping | Mimikatz deployed for credential harvesting. Stolen credentials used for lateral movement and privilege escalation across domain-joined systems. |
| T1567 | Exfiltration Over Web Service | Data exfiltration via Rclone to attacker-controlled cloud storage prior to encryption. Stolen data staged for publication on the RansomHouse Tor leak site if ransom is not paid. |
| T1486 | Data Encrypted for Impact | MarioLocker (Mario) encryptor deploys multi-layered dual-key encryption: 32-byte primary + 8-byte secondary key with interlocking passes. Targets VMware ESXi environments. Files encrypted with .emario or .RH extensions. |
| T1489 | Service Stop | MarioLocker ESXi variants delete .log files from /var/log, stop virtual machine services, and target virtualization-specific file extensions to maximize operational disruption. |
| T1657 | Financial Theft | Double-extortion model: ransom demanded in Bitcoin for both decryption keys and non-publication of stolen data. If victim refuses, data is published on leak site or sold to other buyers. |
Known Campaigns
Unauthorized access to GPOA's IT network discovered August 10, 2025. RansomHouse claimed responsibility August 20, 2025, publishing a proof pack on their leak site. 56,954 individuals affected. Compromised data included names, mailing addresses, Social Security numbers, and provider names. Patients not notified until February 2026.
Read NoHacky briefingRansomHouse breached UnitedLayer, a San Francisco-based data center and hosting provider, claiming to have encrypted their data. The downstream impact affected North East Medical Services (NEMS), which notified 91,513 patients that Social Security numbers and medical information were compromised through their third-party software provider.
Breach of the China-based electronics manufacturing giant supplying precision components to global technology and automotive manufacturers. RansomHouse published evidence packs containing proprietary 3D CAD models, PCB design data, Gerber files, and engineering documentation associated with major technology and automotive companies.
Compromised Advanced Micro Devices and stole 450GB of financial data and research, including a CSV file containing a list of over 70,000 devices on AMD's internal network. AMD was added to the leak site after RansomHouse deemed ransom negotiations "too time consuming." Access was reportedly provided by an access broker or insider.
Breached the multinational Colombian healthcare organization operating 12 hospitals and 371 medical centers serving 6 million patients. The attack disrupted IT operations, scheduling, and website functionality. Patients waited over twelve hours for care, with reports of individuals fainting due to lack of medical attention.
Tools & Malware
RansomHouse uses a mix of custom encryption tooling and commodity offensive frameworks.
- MarioLocker (Mario): The group's primary encryptor, derived from the Babuk ransomware lineage. Upgraded in late 2025 from single-phase to multi-layered dual-key encryption (32-byte primary + 8-byte secondary key). ESXi-specific variants target virtualization files, encrypt with the .emario extension, and require parameterized execution with victim IP addresses. Uses Linux urandom for encryption key generation.
- MrAgent: RansomHouse's deployment and persistence utility for managing ransomware distribution across compromised environments. Used alongside MarioLocker to impair operational continuity and recovery.
- Cobalt Strike: Primary post-exploitation framework for persistence and lateral movement within victim networks.
- Metasploit: Additional exploitation framework used alongside Cobalt Strike for initial compromise and privilege escalation.
- Mimikatz: Credential dumping tool for harvesting domain credentials and enabling lateral movement across Active Directory environments.
- Rclone: Open-source cloud sync tool repurposed for bulk data exfiltration to attacker-controlled storage prior to encryption.
- Vatet Loader: Third-party loader used in phishing campaigns to deliver initial payloads and establish footholds in victim environments.
Mitigation & Defense
Defending against RansomHouse requires hardening against both the initial access vectors and the ESXi-targeted encryption.
- Patch internet-facing appliances immediately: RansomHouse exploits known vulnerabilities in Citrix NetScaler, Palo Alto GlobalProtect, and Log4j. Maintain a 24-48 hour patch window for critical perimeter vulnerabilities.
- Harden VMware ESXi: MarioLocker specifically targets ESXi environments. Disable unnecessary ESXi services, restrict management access to isolated networks, enable lockdown mode, and maintain offline backups of VM configurations and data.
- Monitor for Rclone and exfiltration tools: RansomHouse exfiltrates data before encryption. Detect unauthorized use of Rclone, cloud sync tools, and large outbound data transfers to unknown cloud endpoints.
- Credential hygiene: Deploy LAPS or equivalent for local admin passwords. Monitor for Mimikatz indicators and anomalous Kerberos ticket activity. Segment privileged accounts from standard user credentials.
- Backup isolation: Maintain offline, air-gapped backups tested regularly for restoration. MarioLocker targets backup files and virtualization snapshots — online backups accessible from the compromised network will be encrypted.
- Monitor the RansomHouse leak site: For threat intelligence teams: monitor the RansomHouse Tor leak site and associated Telegram PR channel for mentions of your organization. The group sometimes lists victims before encryption is complete, providing a narrow window for accelerated response.
RansomHouse's connections to other criminal groups are worth tracking. Analyst1 documented shared email addresses between RansomHouse and BianLian, cross-claimed victims with Snatch, Stormous, and Abyss, and infrastructure links to Dark Angels via the Dunghill Leak site. CISA has also documented Iranian state-linked group Pioneer Kitten providing initial access to RansomHouse, NoEscape, and BlackCat in exchange for a cut of ransom proceeds. This web of affiliations means a RansomHouse compromise may involve tooling and TTPs from multiple criminal groups — defenders should not assume a single-actor playbook during incident response.
Sources & Further Reading
Attribution and references used to build this profile.
- NoHacky — GPOA Data Breach: RansomHouse Healthcare Attack (2025)
- Palo Alto Unit 42 — From Linear to Complex: An Upgrade in RansomHouse Encryption (2025)
- Analyst1 — RansomHouse: Stolen Data Market, Influence Operations & Other Tricks (2025)
- SCILabs — Threat Profile: RansomHouse / MarioLocker Analysis