virus logo Threat Actor

RansomHouse Ransomware

Description

RansomHouse is a sophisticated ransomware group active since 2023, known for double-extortion attacks targeting high-value sectors like healthcare, manufacturing, and critical infrastructure. It exploits public-facing vulnerabilities (e.g., Citrix NetScaler, Palo Alto GlobalProtect) and employs custom malware alongside tools like Cobalt Strike and Mimikatz for lateral movement. While initially operating as a closed private group, reports in 2024–2025 suggest a shift toward a hybrid RaaS model, expanding its reach through selective affiliate partnerships.

Aliases

  • RH Team

Common Vulnerabilities and Exposures

Targeted Industries

  • Education
  • Energy/Oil & Gas
  • Financial Services
  • Government (Local/Municipal)
  • Healthcare
  • Legal Firms
  • Logistics/Transport
  • Manufacturing
  • Technology

Objectives

Monetary gain, Data Exfiltration

Known Tools Used

  • AdFind
  • AnyDesk
  • Cobalt Strike
  • CrackMapExec
  • FileZilla
  • GMER
  • Mega.nz (for exfiltration)
  • Mimikatz
  • NLBrute
  • PowerShell Empire
  • PsExec
  • SharpHound
  • SoftPerfect Network Scanner
  • TeamViewer
  • WinRAR (for data staging)
  • Wireshark

Known Infection Vectors

  • Brute-Force RDP/VPN
  • Compromised Third-Party Tools
  • Exploited Public-Facing CVEs
  • Insider Threats
  • Malicious Software Updates
  • Phishing (Malicious Emails)
  • Stolen Credentials
  • Supply Chain Attacks

References

AA23-317A: Ransomware Activity Targeting Critical Infrastructure

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-317a

FBI Flash Report: RansomHouse Exploiting Palo Alto CVE-2024-3400
https://www.ic3.gov/Media/News/2024/240228.pdf

#StopRansomware: RansomHouse", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-101a

Alert (TA24-164A): RansomHouse Targeting U.S. Critical Infrastructure https://www.cisa.gov/uscert/ncas/alerts/aa24-164a

Known Exploited Vulnerabilities (KEV) Catalog Update
https://www.cisa.gov/known-exploited-vulnerabilities-catalog

AA25-074A: RansomHouse Shift to Hybrid RaaS Model

https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-074a

MALWARE ANALYSIS REPORT (MAR-1044-25): RansomHouse Linux Variant
https://www.cisa.gov/resources-tools/services/malware-analysis-reports/mar-1044-25

RansomHouse Ransomware

ID

6250

Published

Apr 02, 2026

Threat Actor Type

Ransomware-as-a-Service (RaaS)

Tags

Microsoft Office and Windows HTML Attack Citrix Bleed Attack PAN-OS GlobalProtect Attack ConnectWise ScreenConnect Attack Zoho ManageEngine RCE Cisco IOS XE Web UI Vulnerability Threat Signal

Attacker Origins

  • Russian Speaking Origins

Target Systems

  • Linux (RHEL/Ubuntu/CentOS)
  • VMware ESXi
  • Windows Server 2012-2022

Regions Targeted

  • Australia/NZ
  • East Asia
  • Latin America
  • Middle East
  • North America
  • Southeast Asia
  • Western Europe

Active CVEs