Security News > 2024 > February > RansomHouse gang automates VMware ESXi attacks with new MrAgent tool
The RansomHouse ransomware operation has created a new tool named 'MrAgent' that automates the deployment of its data encrypter across multiple VMware ESXi hypervisors.
ESXi servers often run critical applications and services for businesses, including databases and email servers, so the operational disruption from the ransomware attack is maximized.
Trellix analysts have spotted a new binary used in RansomHouse attacks that appears to be specifically designed for streamlining the gangs attacks on ESXi systems.
MrAgent's core function is to identify the host system, turn off its firewall, and then automate the ransomware deployment process across multiple hypervisors simultaneously, compromising all managed VMs. The tool supports custom configurations for ransomware deployment received directly from the command and control server.
MrAgent can also execute local commands on the hypervisor received from the C2 again to delete files, drop active SSH sessions to prevent interference during the encryption process and send back information about the running VMs. By disabling the firewall and potentially dropping non-root SSH sessions, MrAgent minimizes the chances of detection and intervention by administrators while simultaneously increasing the impact of the attack by targeting all reachable VMs at once.
Using the MrAgent tool across different platforms shows RansomHouse's intention to extend the tool's applicability and maximize the impact of their campaigns when the target uses both Windows and Linux systems.