RansomHouse, a ransomware group known for its double extortion tactics, has developed a new tool named 'MrAgent' to facilitate the widespread deployment of its data encrypter on VMware ESXi hypervisors.
Since its emergence in December 2021, RansomHouse has been targeting large organizations, although it hasn't been as active as some other notorious ransomware groups. Nevertheless, it has been employing sophisticated methods to infiltrate systems and extort victims.
ESXi servers are a prime target for ransomware attacks due to their role in managing virtual computers containing valuable data for businesses. Disrupting these servers can cause significant operational damage, impacting critical applications and services like databases and email servers.
Researchers from Trellix and Northwave have identified a new binary associated with RansomHouse attacks, designed specifically to streamline the process of targeting ESXi systems. This tool, named MrAgent, automates the deployment of ransomware across multiple hypervisors simultaneously, compromising all managed virtual machines.
MrAgent is highly configurable, allowing attackers to customize ransomware deployment settings received from the command and control server. This includes tasks such as setting passwords, scheduling encryption events, and altering system messages to display ransom notices.
By disabling firewalls and terminating non-root SSH sessions, MrAgent aims to minimize detection and intervention by administrators while maximizing the impact of the attack on all reachable virtual machines.
Trellix has identified a Windows version of MrAgent, indicating RansomHouse's efforts to broaden the tool's reach and effectiveness across different platforms.
The automation of these attack steps underscores the attackers' determination to target large networks efficiently. Defenders must remain vigilant and implement robust security measures, including regular updates, access controls, network monitoring, and logging, to mitigate the threat posed by tools like MrAgent.