CyberSecurityBoard
Sponsor Register Login

RansomHouse Gang Streamlines VMware ESXi Attacks Using Latest MrAgent Tool

RansomHouse, a ransomware group known for its double extortion tactics, has developed a new tool named 'MrAgent' to facilitate the widespread deployment of its data encrypter on VMware ESXi hypervisors.
Since its emergence in December 2021, RansomHouse has been targeting large organizations, although it hasn't been as active as some other notorious ransomware groups.
It has been employing sophisticated methods to infiltrate systems and extort victims.
ESXi servers are a prime target for ransomware attacks due to their role in managing virtual computers containing valuable data for businesses.
Disrupting these servers can cause significant operational damage, impacting critical applications and services like databases and email servers.
Researchers from Trellix and Northwave have identified a new binary associated with RansomHouse attacks, designed specifically to streamline the process of targeting ESXi systems.
This tool, named MrAgent, automates the deployment of ransomware across multiple hypervisors simultaneously, compromising all managed virtual machines.
MrAgent is highly configurable, allowing attackers to customize ransomware deployment settings received from the command and control server.
This includes tasks such as setting passwords, scheduling encryption events, and altering system messages to display ransom notices.
By disabling firewalls and terminating non-root SSH sessions, MrAgent aims to minimize detection and intervention by administrators while maximizing the impact of the attack on all reachable virtual machines.
Trellix has identified a Windows version of MrAgent, indicating RansomHouse's efforts to broaden the tool's reach and effectiveness across different platforms.
The automation of these attack steps underscores the attackers' determination to target large networks efficiently.
Defenders must remain vigilant and implement robust security measures, including regular updates, access controls, network monitoring, and logging, to mitigate the threat posed by tools like MrAgent.


This Cyber News was published on www.cysecurity.news. Publication date: Sun, 18 Feb 2024 15:13:05 +0000


Cyber News related to RansomHouse Gang Streamlines VMware ESXi Attacks Using Latest MrAgent Tool

RansomHouse gang automates VMware ESXi attacks with new MrAgent tool - The RansomHouse ransomware operation has created a new tool named 'MrAgent' that automates the deployment of its data encrypter across multiple VMware ESXi hypervisors. RansomHouse is a ransomware-as-a-service operation that emerged in December 2021 ...
1 year ago Bleepingcomputer.com LockBit
RansomHouse Gang Streamlines VMware ESXi Attacks Using Latest MrAgent Tool - RansomHouse, a ransomware group known for its double extortion tactics, has developed a new tool named 'MrAgent' to facilitate the widespread deployment of its data encrypter on VMware ESXi hypervisors. Since its emergence in December 2021, ...
1 year ago Cysecurity.news
Investigation of Possible Causes of ESXiArgs Ransomware Attacks Suggests VMware is Not at Fault - Edward Hawkins, the High-Profile Product Incident Response Manager at VMware, has denied allegations that two-year-old security flaws have been used in the current ESXiArgs ransomware attacks. Over the weekend, reports surfaced about cybercriminals ...
2 years ago Hackread.com CVE-2021-21974
VMware ESXi 8.0 Update 3e Released for Free, What's New! - This marks a significant policy reversal after Broadcom discontinued the free ESXi offering following its acquisition of VMware, a move that had pushed many users toward alternative virtualization platforms. Broadcom has officially reintroduced the ...
4 days ago Cybersecuritynews.com
Linux version of Qilin ransomware focuses on VMware ESXi - A sample of the Qilin ransomware gang's VMware ESXi encryptor has been found and it could be one of the most advanced and customizable Linux encryptors seen to date. Due to this adoption, almost all ransomware gangs have created dedicated VMware ESXi ...
1 year ago Bleepingcomputer.com Qilin
No Signs of Unpatched Vulnerabilities Discovered in ESXiArgs Ransomware Attacks - VMware reported on Monday that there is no proof that hackers are using an unknown security flaw, also known as a zero-day, in its software as part of a ransomware attack. Most reports suggest that outdated products with known vulnerabilities that ...
2 years ago Thehackernews.com CVE-2021-21974
VMware fixes critical Cloud Director auth bypass unpatched for 2 weeks - VMware has fixed a critical authentication bypass vulnerability in Cloud Director appliance deployments, a bug that was left unpatched for over two weeks since it was disclosed on November 14th. Cloud Director is a VMware platform that enables admins ...
1 year ago Bleepingcomputer.com CVE-2023-34060
VMWare discloses critical VCD Appliance auth bypass with no patch - VMware disclosed a critical and unpatched authentication bypass vulnerability affecting Cloud Director appliance deployments. Cloud Director enables VMware admins to manage their organizations' cloud services as part of Virtual Data Centers. The auth ...
1 year ago Bleepingcomputer.com CVE-2023-34060
Latest Information Security and Hacking Incidents - The ransomware strain Qilin has surfaced as a new danger to computers using VMware ESXi, which is a recent development in the cryptocurrency space. Concerned observers have expressed concern over the fact that this Qilin Linux version exhibits a ...
1 year ago Cysecurity.news Qilin
41,500+ VMware ESXi Instances Vulnerable to Code Execution Attacks - We are scanning & reporting out VMware ESXi CVE-2025-22224 vulnerable instances ("a malicious actor with local admin privileges on a virtual machine may exploit this to execute code as virtual machine's VMX process running on ...
1 month ago Cybersecuritynews.com CVE-2025-22224
VMware fixes critical code execution flaw in vCenter Server - VMware issued security updates to fix a critical vCenter Server vulnerability that can be exploited to gain remote code execution attacks on vulnerable servers. vCenter Server is the central management hub for VMware's vSphere suite, and it helps ...
1 year ago Bleepingcomputer.com CVE-2023-34048 CVE-2023-34056
Chinese Espionage Group Has Exploited VMware Flaw Since 2021 - A Chinese espionage group spotted last year by Mandiant researchers abusing a flaw that affected VMware virtualization tools has been exploiting another zero-day vulnerability in VMware's vCenter Server since at least late 2021, according to the ...
1 year ago Securityboulevard.com CVE-2023-34048 CVE-2023-20867
Russians break into Microsoft as Chinese hit VMware users The Register - A VMware security vulnerability has been exploited by Chinese cyberspies since late 2021, according to Mandiant, in what has been a busy week for nation-state espionage news. On Friday VMware confirmed CVE-2023-34048, a critical out-of-bounds write ...
1 year ago Go.theregister.com CVE-2023-34048 Hunters
Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning - Our structured query language (SQL) injection detection model detected triggers containing unusual patterns that did not correlate to any known open-source or commercial automated vulnerability scanning tool. We have tested all malicious payloads ...
6 months ago Unit42.paloaltonetworks.com
South African telecom provider serving 7.7 million confirms data leak following cyberattack | The Record from Recorded Future News - In previous incidents, RansomHouse has claimed responsibility for attacks on major organizations, including chip manufacturer Advanced Micro Devices (AMD), supermarket chain Shoprite Group and the Saskatchewan Liquor and Gaming Authority. South ...
1 week ago Therecord.media
CVE-2022-30426 - There is a stack buffer overflow vulnerability, which could lead to arbitrary code execution in UEFI DXE driver on some Acer products. An attack could exploit this vulnerability to escalate privilege from ring 3 to ring 0, and hijack control flow ...
2 years ago
Top 30 Best Penetration Testing Tools - 2025 - The tool supports various protocols and offers advanced filtering and analysis capabilities, making it ideal for diagnosing network issues, investigating security incidents, and understanding complex network interactions during penetration testing. ...
2 weeks ago Cybersecuritynews.com
Broadcom warns of authentication bypass in VMware Windows Tools - For instance, in November, Broadcom warned that attackers were exploiting two VMware vCenter Server vulnerabilities: a privilege escalation to root (CVE-2024-38813) and a critical remote code execution flaw (CVE-2024-38812) identified during China's ...
3 weeks ago Bleepingcomputer.com CVE-2024-38813
VMware Fixes Critical Security Bugs in vRealize Log Analysis Tool - Organizations using the VMware vRealize Log Analysis tool are being urged to update it in order to patch several recently discovered security bugs. According to a security advisory issued by VMware yesterday, the company has identified a critical ...
2 years ago Bleepingcomputer.com
Chinese Spies Exploited Critical VMware Bug for Nearly 2 Years - One of the most serious VMware vulnerabilities in recent memory was secretly being exploited by a Chinese advanced persistent threat for years before a patch became available. In a sign of just how severe this particular issue was, VMware went so far ...
1 year ago Darkreading.com CVE-2023-34048 CVE-2023-20867
VMware urges admins to remove deprecated, vulnerable auth plug-in - VMware urged admins today to remove a discontinued authentication plugin exposed to authentication relay and session hijack attacks in Windows domain environments via two security vulnerabilities left unpatched. The vulnerable VMware Enhanced ...
1 year ago Bleepingcomputer.com CVE-2024-22245 CVE-2024-22250
VMware Tools for Windows Vulnerability Let Attackers Bypass Authentication - According to the security advisory VMSA-2025-0005, the authentication bypass vulnerability stems from improper access control in the VMware Tools for Windows utilities suite. In response to this vulnerability, cybersecurity experts recommend that ...
3 weeks ago Cybersecuritynews.com CVE-2025-22230
10 Best Ransomware File Decryptor Tools in 2025 - Kaspersky Rakhni Decryptor contains different decryption tools based on various versions of Rakhni ransomware and helps you decrypt encrypted files on your system. PyLocky Ransomware Decryption Tool is a free and open source developed and released by ...
1 week ago Cybersecuritynews.com
A largescale ransomware attack is targeting VMware ESXi servers around the world - Administrators, hosting providers, and the French Computer Emergency Response Team have warned that attackers are actively targeting VMware ESXi servers that have not been patched against a two-year-old remote code execution vulnerability to deploy ...
2 years ago Bleepingcomputer.com CVE-2021-21974
Chinese threat group exploited VMware vulnerability in 2021 - A critical VMware vulnerability that was patched in October was exploited in the wild two years ago by a China-nexus threat actor, according to new research from Mandiant. On Oct. 25, VMware first disclosed an out-of-bounds write vulnerability ...
1 year ago Techtarget.com CVE-2023-34048 CVE-2023-34056 CVE-2023-20867

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)