RansomHouse, a ransomware-as-a-service (RaaS) operation managed by the group Jolly Scorpius, has recently upgraded its encryption methods, significantly enhancing its attack capabilities. The group employs a double extortion strategy, where they not only encrypt victims' data but also threaten to leak it. Since December 2021, they have targeted at least 123 victims across critical sectors, including healthcare and finance, leading to severe financial losses and data breaches. The attack process involves three roles: operators, attackers, and victims. Operators develop the RaaS infrastructure and tools, while attackers, often independent affiliates, execute the attacks. RansomHouse's attackers particularly focus on VMware ESXi infrastructure, allowing them to encrypt multiple virtual machines simultaneously, amplifying the operational damage. The attack chain consists of four phases: develop, infiltrate, exfiltrate and deploy, and extort. Each phase engages specific roles, with operators primarily managing the extortion phase. Key tools in RansomHouse's arsenal include MrAgent, which provides persistent access to compromised environments, and Mario, the encryptor that executes the encryption of files. MrAgent facilitates communication between the attackers and their command-and-control server, gathering critical information from the victim's system and preparing it for further exploitation. The article details specific commands used by MrAgent, highlighting its functions such as disabling firewalls and managing ransomware deployment at scale. This upgrade in their operations poses a significant threat to organizations, emphasizing the need for enhanced cybersecurity measures.