In August 2025, a new ransomware group known as The Gentlemen emerged with a campaign targeting critical industries worldwide. Unlike opportunistic ransomware operators, The Gentlemen display advanced tradecraft, blending custom-built malware with legitimate administrative tools to bypass security controls, exfiltrate sensitive data, and execute domain-wide ransomware deployment. Their operations highlight a shift toward highly tailored, enterprise-specific attacks.
Severity Level: High
Threat Details
1. Initial Access
- Likely gained via compromised FortiGate VPN/firewall appliances or stolen credentials.
- Used Advanced IP Scanner for reconnaissance and systematic mapping of enterprise networks.
2. Discovery & Privilege Escalation
- Enumerated users (e.g., admin.it, fortigate) and groups (domain admins)
- Queried Active Directory for Primary Domain Controller (PDC)
- Used Nmap, batch scripts, and PowerShell for infrastructure mapping
- Leveraged PowerRun.exe for privilege escalation.
3. Defense Evasion
- Abused ThrottleBlood.sys, a vulnerable signed driver, to kill AV processes
- Later introduced Allpatch2.exe, a customized tool against specific endpoint security vendors.
- Disabled Windows Defender via PowerShell, altered registry settings, and bypassed AV tamper protections.
4. Lateral Movement & Persistence
- Relied on PsExec, PuTTY, and registry changes for lateral movement.
- Deployed AnyDesk as a persistent C2 channel.
5. Group Policy Manipulation
- Used Group Policy Management Console (gpmc.msc) to push malicious configurations.
- Targeted Primary Domain Controller for domain-wide impact.
6. Data Collection & Exfiltration
- Staged data in C:\ProgramData\data
- Used WebDAV connections and WinSCP for encrypted exfiltration
7. Ransomware Deployment & Impact
- Distributed ransomware via NETLOGON share using domain admin credentials.
- Appended “.7mtzhh” extension to encrypted files.
- Dropped ransom note README-GENTLEMEN.txt.
- Aggressively terminated backup, database, and security processes (Veeam, SQL, Oracle, SAP, Acronis, etc.).
- Executed cleanup by deleting artifacts, logs, shadow copies, & security event data.
8. Victimology
- Target Industries: manufacturing, construction, healthcare, insurance, and others
- Target Regions: Asia-Pacific, South America, North America, Middle East, and others
Recommendations
- Audit and restrict access to internet-facing systems, especially FortiGate, VPN appliances, and RDP servers.
- Block direct RDP exposure to the internet and restrict remote access with VPN-only access.
- Enable tamper protection and anti-exploit features on EDR/AV agents.
- Enable self-protection features on endpoint security agents to resist termination attempts.
- Implement time-bound privileged access (just-in-time access, automatic de-escalation).
- Establish policies to restrict installation of remote access software (AnyDesk, TeamViewer).
- Apply virtual patching and regular updates on perimeter devices (e.g., FortiGate VPN/firewall appliances).
- Monitor and alert on abnormal NETLOGON modifications. Restrict domain controller share access.
- Block execution from temporary and user download directories where attack tools are typically staged
- Monitor service stop commands targeting security processes and alert on mass termination attempts
- Enforce driver signature verification and alert on vulnerable driver loading attempts (e.g., ThrottleBlood.sys abuse).
- Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/0409e5b2e0588daf34be778a2800eb623c648bba97b4eecd44bda3f7800fae9f/iocs
Source:
- https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.