Mario

Mario is the encryptor component used by the RansomHouse ransomware operation, which is also tracked as Jolly Scorpius. It is used in double-extortion attacks in which data is stolen and systems are encrypted, with victims then threatened with data leakage. The malware is closely associated with attacks against VMware ESXi environments, where affiliates can encrypt many virtual machines at once, and it targets virtualization- and backup-related files including extensions such as ova, ovf, vbk, vbm, vib, vmdk, vmem, vmsd, vmsn, and vswp. After encryption, Mario appends an extension containing the string "mario" to files, including observed variants such as ".emario", and drops a ransom note named "How To Restore Your Files.txt" in affected directories.

Multiple sources in the content state that Mario is Babuk-derived and shares code and behavior with the leaked 2021 Babuk ESXi source, including a highly similar find_files_recursive function and the same default ransom note filename. SentinelLABS identified Mario as one of the ransomware families that adopted Babuk-based ESXi encryptors from H2 2022 onward. One cited Mario ESXi sample has SHA1 048b3942c715c6bff15c94cdc0bb4414dbab9e07.

Recent Mario versions are described as significantly upgraded. The newer encryptor introduces a two-stage encryption process using a 32-byte primary key and an 8-byte secondary key, replacing earlier simpler single-pass behavior. Reported enhancements include dynamic chunk processing, sparse or selective block encryption, optimized buffer management, and support for large-file handling up to an 8 GB threshold, all of which are described as complicating static analysis and decryption. Mario is deployed alongside the MrAgent management utility, which automates ransomware deployment across ESXi hosts, maintains C2 connectivity, gathers host information, can disable the ESXi firewall, and can orchestrate encryption activity.

RansomHouse activity associated with Mario has affected organizations across healthcare, finance, transportation, and government, and some reporting in the content highlights recent targeting of German organizations with VMware infrastructure, including manufacturing, aerospace, and production sectors. High-confidence indicators directly mentioned in the content include the ransom note filename "How To Restore Your Files.txt", the ".emario" extension, and the SHA1 sample 048b3942c715c6bff15c94cdc0bb4414dbab9e07.