Dressed to Encrypt: Inside the Gentlemen Ransomware Operations

In August 2025, a new ransomware group known as The Gentlemen emerged with a campaign targeting critical industries worldwide. Unlike opportunistic ransomware operators, The Gentlemen display advanced tradecraft, blending custom-built malware with legitimate administrative tools to bypass security controls, exfiltrate sensitive data, and execute domain-wide ransomware deployment. Their operations highlight a shift toward highly tailored, enterprise-specific attacks.

Severity Level: High

Threat Details

1. Initial Access

• Likely gained via compromised FortiGate VPN/firewall appliances or stolen credentials.
• Used Advanced IP Scanner for reconnaissance and systematic mapping of enterprise networks.

2. Discovery & Privilege Escalation

• Enumerated users (e.g., admin.it, fortigate) and groups (domain admins)
• Queried Active Directory for Primary Domain Controller (PDC)
• Used Nmap, batch scripts, and PowerShell for infrastructure mapping
• Leveraged PowerRun.exe for privilege escalation.

3. Defense Evasion

• Abused ThrottleBlood.sys, a vulnerable signed driver, to kill AV processes
• Later introduced Allpatch2.exe, a customized tool against specific endpoint security vendors.
• Disabled Windows Defender via PowerShell, altered registry settings, and bypassed AV tamper protections.

4. Lateral Movement & Persistence

• Relied on PsExec, PuTTY, and registry changes for lateral movement.
• Deployed AnyDesk as a persistent C2 channel.

5. Group Policy Manipulation

• Used Group Policy Management Console (gpmc.msc) to push malicious configurations.
• Targeted Primary Domain Controller for domain-wide impact.

6. Data Collection & Exfiltration

• Staged data in C:\ProgramData\data
• Used WebDAV connections and WinSCP for encrypted exfiltration

7. Ransomware Deployment & Impact

• Distributed ransomware via NETLOGON share using domain admin credentials.
• Appended “.7mtzhh” extension to encrypted files.
• Dropped ransom note README-GENTLEMEN.txt.
• Aggressively terminated backup, database, and security processes (Veeam, SQL, Oracle, SAP, Acronis, etc.).
• Executed cleanup by deleting artifacts, logs, shadow copies, & security event data.

8. Victimology

• Target Industries: manufacturing, construction, healthcare, insurance, and others
• Target Regions: Asia-Pacific, South America, North America, Middle East, and others

Recommendations

1. Audit and restrict access to internet-facing systems, especially FortiGate, VPN appliances, and RDP servers.
2. Block direct RDP exposure to the internet and restrict remote access with VPN-only access.
3. Enable tamper protection and anti-exploit features on EDR/AV agents.
4. Enable self-protection features on endpoint security agents to resist termination attempts.
5. Implement time-bound privileged access (just-in-time access, automatic de-escalation).
6. Establish policies to restrict installation of remote access software (AnyDesk, TeamViewer).
7. Apply virtual patching and regular updates on perimeter devices (e.g., FortiGate VPN/firewall appliances).
8. Monitor and alert on abnormal NETLOGON modifications. Restrict domain controller share access.
9. Block execution from temporary and user download directories where attack tools are typically staged
10. Monitor service stop commands targeting security processes and alert on mass termination attempts
11. Enforce driver signature verification and alert on vulnerable driver loading attempts (e.g., ThrottleBlood.sys abuse).
12. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/0409e5b2e0588daf34be778a2800eb623c648bba97b4eecd44bda3f7800fae9f/iocs

Source:

• https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.