What does RansomHouse hackers have to do with creating a new malware?
The RansomHouse group, known for its activities in the field of extortion using specialized programs, has developed a new malicious tool called "MrAgent". It is designed to automate the distribution of the data encryptor across multiple VMware ESXi hypervisors, which opens up new opportunities for attacks on virtual machines.
RansomHouse is a "Ransomware-as-a-Service" (RaaS) operation that was launched in December 2021 and uses double extortion tactics. In May 2022, the group created a special page on the darknet to publish the data of its victims.
Despite the fact that RansomHouse activity was not as high as that of more well-known groups, such as LockBit, ALPHV/Blackcat, Play or Clop, Trellix note that over the past year, the group has repeatedly attacked large organizations.
ESXi servers are an attractive target for ransomware groups because they manage virtual computers that often store valuable data. In addition, these servers often host critical business applications and services, such as databases and email servers, which maximizes operational disruption in the event of a ransomware attack.
The MrAgent tool was designed to simplify hacking attacks on ESXi systems by identifying the host system, disabling its firewall, and automating the process of deploying ransomware on multiple hypervisors simultaneously. The tool is able to compromise all managed VMs by supporting configuration settings for deploying ransomware received directly from the command server.
MrAgent can also execute local commands on the hypervisor to delete files, interrupt active SSH sessions to prevent interference with the encryption process, and send information about running VMs.
Trellix analysts also announced the availability of a version of MrAgent for Windows, which retains basic functionality, but is adapted to the specifics of the operating system, including the use of PowerShell to perform certain tasks.
Adapting the MrAgent tool to different platforms demonstrates RansomHouse's intention to maximize the impact of its malicious campaigns.
With the advent of tools like MrAgent, any organization's digital defense must include comprehensive and robust security measures, such as regular software updates, strict access control, network monitoring, and logging.
The RansomHouse group, known for its activities in the field of extortion using specialized programs, has developed a new malicious tool called "MrAgent". It is designed to automate the distribution of the data encryptor across multiple VMware ESXi hypervisors, which opens up new opportunities for attacks on virtual machines.
RansomHouse is a "Ransomware-as-a-Service" (RaaS) operation that was launched in December 2021 and uses double extortion tactics. In May 2022, the group created a special page on the darknet to publish the data of its victims.
Despite the fact that RansomHouse activity was not as high as that of more well-known groups, such as LockBit, ALPHV/Blackcat, Play or Clop, Trellix note that over the past year, the group has repeatedly attacked large organizations.
ESXi servers are an attractive target for ransomware groups because they manage virtual computers that often store valuable data. In addition, these servers often host critical business applications and services, such as databases and email servers, which maximizes operational disruption in the event of a ransomware attack.
The MrAgent tool was designed to simplify hacking attacks on ESXi systems by identifying the host system, disabling its firewall, and automating the process of deploying ransomware on multiple hypervisors simultaneously. The tool is able to compromise all managed VMs by supporting configuration settings for deploying ransomware received directly from the command server.
MrAgent can also execute local commands on the hypervisor to delete files, interrupt active SSH sessions to prevent interference with the encryption process, and send information about running VMs.
Trellix analysts also announced the availability of a version of MrAgent for Windows, which retains basic functionality, but is adapted to the specifics of the operating system, including the use of PowerShell to perform certain tasks.
Adapting the MrAgent tool to different platforms demonstrates RansomHouse's intention to maximize the impact of its malicious campaigns.
With the advent of tools like MrAgent, any organization's digital defense must include comprehensive and robust security measures, such as regular software updates, strict access control, network monitoring, and logging.
