Advisory February 19, 2024

RansomHouse group infiltrates VMware ESXi servers

Obrela TI Team

RansomHouse group infiltrates VMware ESXi servers through MrAgent tool


It has been discovered that the RansomHouse ransomware group has introduced a new tool named MrAgent, designed to streamline the deployment of its data encrypter across multiple VMware ESXi hypervisors. RansomHouse emerged in December 2021 and functions as a ransomware-as-a-service (RaaS) group, employing double extortion tactics. Renowned for utilizing a distinct ransomware variant dubbed Mario ESXi, together with MrAgent, the group targets both Windows and Linux-based systems. This advancement enhances their ability to target VMware ESXi infrastructure efficiently. It’s crucial to remain vigilant and fortify security measures to safeguard our systems against such threats.



The RansomHouse group focuses its efforts on infiltrating VMware ESXi servers through their specialized tool, MrAgent, for several key reasons:

  1. High Value Targets:
    • VMware ESXi servers are integral components of enterprise environments, hosting critical workloads, databases, and applications.
    • Targeting these servers allows RansomHouse to inflict substantial financial losses and operational disruptions on organizations.
  2. Centralized Control:
    • MrAgent simplifies the deployment of RansomHouse’s data encrypter across multiple ESXi hypervisors.
    • This centralized approach enables simultaneous infection of numerous virtual machines (VMs), thereby enhancing the likelihood of successful extortion.
    • MrAgent identifies target ESXi hypervisors, disables their firewalls, and automates ransomware deployment, compromising all managed VMs at once.
  3. Double Extortion Strategy:
    • RansomHouse employs a double extortion tactic, encrypting data and threatening to leak sensitive information if ransom demands aren’t met.
    • ESXi servers, housing critical business data, are prime targets for this strategy, as organizations are more inclined to pay to prevent data breaches.
  4. Unique Ransomware Variant:
    • RansomHouse utilizes a custom ransomware variant, Mario ESXi, tailored to exploit ESXi infrastructure, effectively compromising VMs on these servers.
  5. Market Demand:
    • Ransomware-as-a-service (RaaS) groups like RansomHouse meet the growing demand for cybercriminal services, enabling them to profit from successful attacks orchestrated by others.
  6. Leveraging Vulnerabilities:
    • RansomHouse capitalizes on vulnerabilities or misconfigurations in ESXi servers, swiftly identifying and exploiting them using the MrAgent tool.

Impact and Intentions:

ESXi servers host critical applications and services, amplifying the operational disruption caused by ransomware attacks. MrAgent’s stealthy approach minimizes detection while maximizing the attack’s impact by targeting all accessible VMs simultaneously. Finally, RansomHouse’s cross-platform use of MrAgent underscores their intent to broaden its effectiveness and magnify the impact of their campaigns on Windows and Linux systems alike.


To prevent the MrAgent vulnerability and protect your VMware ESXi servers, consider implementing the following measures:

  • Patch Management: Consistently apply security updates and patches to your ESXi servers, ensuring they can mitigate known vulnerabilities.
  • Access Management: Enforce strict access controls employing robust authentication methods and limiting administrative privileges exclusively to authorized personnel. Adhering to the principle of least privilege is imperative because it ensures granting permissions only as necessary.
  • Network Segregation: Isolate ESXi servers within dedicated network segments, restricting access to essential services and ports to avoid potential lateral movements by malicious actors.
  • Security Solutions Deployment: Implement security solutions such as Intrusion Detection/Prevention Systems (IDPS) to detect and block malicious activities, utilize firewalls to handle incoming and outgoing traffic, and employ antivirus software for scanning against known malware.
  • Backup and Restoration: Regularly back up virtual machines (VMs) and ESXi configurations. Backups are indispensable for recovery in the event of a ransomware incident.
  • Education and Awareness Initiatives: Provide staff training on security best practices to foster a culture of heightened awareness and preparedness.


earth and shield - Advisory image