Cyber Threat Actor: RansomHouse

RansomHouse is a ransomware and extortion group that has been active since December 2021. The group uses the alias RansomHouse and is known to operate from Russia. It describes itself as a "professional mediators community" that targets organizations with lax privacy and security practices. Its primary goal is to obtain monetary payments by threatening to release stolen data.

RansomHouse has hit a wide range of industries including aviation, luxury goods, pharmaceuticals, healthcare, payment processing, construction, and municipal governments. Victims have been located in Europe, North America, Africa, and Asia, reflecting a geographically diverse targeting pattern. The group employs a double extortion model, stealing data before or alongside encryption and then threatening public disclosure unless a ransom is paid. Financial gain is the explicit motive, as the group seeks payments to prevent the leak of confidential information.

Technical analysis links RansomHouse to the WhiteRabbit ransomware encryptor, which was later rebranded as "Mario" for attacks on Italian municipalities. The encryptor appends the ".mario" extension to locked files and drops ransom notes titled "How To Restore Your Files.txt." Initial access has been observed through exploitation of VMware vulnerabilities and network switch failures, as seen in the Mission Community Hospital incident. The group maintains a dark web leak site where it publishes proof packs and directory listings of stolen data to pressure victims. Notable operations include the March 2023 ransomware attack on Hospital Clínic de Barcelona that disrupted emergency services and virtualized environments. In May 2023 the group claimed responsibility for the ransomware incident at Mission Community Hospital, alleging the theft of 2.5 terabytes of patient‑related data. AvidXchange suffered a second ransomware incident in April 2023, with RansomHouse publishing employee payroll, bank account numbers and system credentials. Additional high‑profile cases involve the encryption of systems at Radley London, the pharmaceutical firm Eisai, and the Allied Pilots Association, each accompanied by claims of multi‑terabyte data exfiltration.

Earlier campaigns show the group’s reach beyond Europe, such as the claimed 2022 attack on Africa’s largest supermarket chain Shoprite and the Indian pharmaceutical company IPCA Laboratories. RansomHouse also listed the Colombian healthcare provider Keralty and the Italian municipality of Comune di Taggia among its victims, publishing portions of the alleged stolen data on its leak site. These incidents illustrate the group’s reliance on data theft, extortion, and occasional encryption to generate revenue from a broad set of targets.