A new ransomware tool called “MrAgent” operates as a binary designed to run primarily on VMware ESXi hypervisors with the sole purpose of automating and tracking the deployment of ransomware across large environments with multiple hypervisors.
In a Feb. 14 blog post, Trellix researchers identified the gang responsible, the RansomHouse Group, as a ransomware-as-a-service operation that emerged in late 2021 that has been active deploying ransomware variants to exploit corporate networks.
RansomHouse mainly targeted Italy in 2022, but that changed in 2023 as the United States was hit 47.37% of the time. The industrials and technology sectors were targeted 44.74% of the time in 2023.
The researchers said RansomHouse extorts its victims twice: first by encrypting victim files and demanding a ransom, and second by “naming and shaming” victims who do not pay on their site where they publish the victim’s stolen data.
“Their tactics, techniques, and procedures show a mature and sophisticated level of execution, leveraging content delivery network servers for exfiltration, and utilizing a Tor-based chat room for victim negotiations,” wrote the researchers, who added that RansomHouse tries to cultivate the image of a “professional mediator community.”
Because they target ESXi servers via MrAgent, security teams should make it an immediate priority to protect hosts running their VMware infrastructure, said Balazs Greksza, threat response lead at Ontinue.
“This includes hypervisors, with security solutions, such as EDR and hardening, both on-prem and in the cloud,” said Greksza. “Many EDR vendors are successfully preventing MrAgent — and they could help in looking out for suspicious activity.”
Callie Guenther, senior manager, cyber threat research at Critical Start, added that VMware ESXi servers are commonly used for virtualization in enterprises, making them attractive targets. Guenther said MrAgent automates ransomware deployment, increasing attack efficiency and complicating defense efforts.
“RansomHouse has been a RaaS operation since December 2021, using double extortion tactics,” said Guenther. “Despite being less known than groups like LockBit or ALPHV/BlackCat, it targets large organizations and has a dark web page for victim extortion.”
