{ "id": "762cfc9e-2778-483c-985c-1f31c8eba050", "created_at": "2026-04-06T00:16:07.926727Z", "updated_at": "2026-04-10T03:26:51.883412Z", "deleted_at": null, "sha1_hash": "a83dd5eaf3c18a7c17af3e60c4b23461dbc305fa", "title": "Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 113055, "plain_text": "Unmasking The Gentlemen Ransomware: Tactics, Techniques, and\r\nProcedures Revealed\r\nPublished: 2025-09-09 · Archived: 2026-04-05 16:22:50 UTC\r\nKey takeaways\r\nThe Gentlemen ransomware group launched a campaign involving advanced, highly tailored tools specifically\r\ndesigned to bypass enterprise endpoint protections.\r\nThe campaign leveraged a combination of legitimate driver abuse, Group Policy manipulation, custom anti-AV\r\nutilities, privileged account compromise, and encrypted exfiltration channels.\r\nThe group targeted multiple industries and regions, focusing heavily on a range of industries such as manufacturing,\r\nconstruction, healthcare, and insurance, with attacks spanning at least 17 countries.\r\nThe Gentlemen show advanced capabilities by systematically compromising enterprise environments, using versatile\r\ntools from generic anti-AV utilities to targeted variants, highlighting serious threat to organizations despite security\r\nmeasures.\r\nThe group also engineered ransomware deployment via privileged domain accounts and created evasion methods to\r\npersist against security controls.\r\nTrend Vision One™ detects and blocks the indicators of compromise (IOCs) described in this blog and equips\r\ncustomers with tailored hunting queries, threat intelligence, and actionable insights. Additional mitigation\r\nrecommendations are outlined below.\r\nIntroduction\r\nIn August 2025, we investigated a new ransomware campaign orchestrated by The Gentlemen, an emerging and previously\r\nundocumented threat group. This threat actor quickly established itself within the threat landscape by demonstrating\r\nadvanced capabilities through their systematic compromise of enterprise environments. By adapting their tools mid-campaign—shifting from generic anti-AV utilities to highly targeted, specific variants—the attackers demonstrate versatility\r\nand determination, posing a significant threat to organizations regardless of their security defenses.\r\nThe campaign’s attack chain exposed several highly sophisticated and concerning tactics. Notably, the threat actor exploited\r\nlegitimate drivers for defense evasion, abused Group Policy Objects (GPO) to facilitate domain-wide compromise, and\r\ndeployed custom malicious tools designed to disable security solutions present in the environment.  The Gentlemen group\r\ndemonstrated operational security practices by utilizing encrypted channels for data exfiltration via WinSCP and establishing\r\nredundant persistence mechanisms through both AnyDesk remote access software and modified registry settings.\r\nSignificance\r\nThe group's tactics, particularly their development of custom tools targeting specific security vendors, indicates an evolution\r\nin ransomware operations where attackers conduct extensive reconnaissance — resulting in tailored bypasses for the\r\ndefenses they encounter. This approach represents a shift from opportunistic attacks; through systematic analysis of security\r\nsoftware documentation, the threat actors combine this knowledge with the abuse of legitimate tools and vulnerable drivers\r\nto deploy environment-specific evasion techniques.\r\nThe Gentlemen's substantial victim count, coupled with the lack of prior threat intelligence suggests either a rebranding\r\neffort by experienced operators or the emergence of a well-funded new entrant within the ransomware ecosystem. By using\r\nthreat intelligence on the group's methodologies, organizations can proactively identify their tools, tactics, and procedures\r\n(TTPs), implement targeted defensive measures, and prepare incident response plans aligned with these observed behaviors.\r\nVictimology\r\nThe Gentlemen ransomware group has been targeting organizations across multiple sectors, with a particular focus on the\r\nAsia-Pacific region. The manufacturing industry has been the hardest hit, followed closely by construction, healthcare, and\r\ninsurance. The group’s attacks on essential services such as healthcare highlights its disregard for critical infrastructure and\r\nits potential public safety implications. Key target countries include Thailand and the United States, with a total of 17\r\ncountries affected.\r\nInitial Access\r\nAlthough the exact initial access vector remains unconfirmed for this specific incident, our investigation suggests the threat\r\nactors likely exploited internet-facing services or compromised credentials to establish their initial foothold. The presence of\r\nhttps://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html\r\nPage 1 of 8\n\nnetwork reconnaissance tools (such as Advanced IP Scanner, shown below) early in the attack timeline, combined with\r\nevidence of systematic infrastructure mapping, indicates a calculated entry strategy rather than opportunistic exploitation.\r\nFollowing the initial compromise, the attackers carried out thorough reconnaissance via Advanced IP Scanner to gain\r\nknowledge of the network layout and identify valuable targets.\r\nC:\\Program Files (x86)\\Advanced IP Scanner\\advanced_ip_scanner.exe\r\nDiscovery\r\nDuring the discovery phase, the threat actor examined Active Directory structures, focusing on domain administrators,\r\nenterprise administrators, and custom privilege groups such as itgateadmin.\r\nOne notable technique used by The Gentlemen involved the use of a batch script named 1.bat to perform mass account\r\nenumeration, querying more than 60 user accounts across the domain infrastructure:\r\nuser admin.it /dom\r\nuser administrator /dom\r\nuser fortigate /dom\r\ngroup \"domain admins\" /dom\r\ngroup \"Enterprise admins\" /dom\r\nlocalgroup __vmware__\r\nlocalgroup administrators\r\n[additional net user commands]\r\nThey also demonstrated extensive environmental awareness by querying local groups, including standard administrative\r\ngroups and virtualization-specific groups such as VMware, indicating preparation for lateral movement across both physical\r\nand virtualized infrastructure components.\r\nDefense Evasion\r\nThe group's initial defense evasion strategy centered on deploying All.exe in conjunction with ThrottleBlood.sys, leveraging\r\na sophisticated technique previously documented in by other researchers in this report. This approach exploits a legitimate\r\nsigned driver to perform kernel-level manipulation, effectively terminating security software processes by abusing Windows\r\ndriver functionality. The tool operates by loading the vulnerable driver and using it to kill protected processes that would\r\nnormally be shielded from termination:\r\n$myuserprofile$\\Downloads\\All.exe → $myuserprofile$\\Downloads\\ThrottleBlood.sys\r\n \r\nRecognizing the limitations of this initial approach, the threat actors shifted tactics and began conducting detailed\r\nreconnaissance of the endpoint protection mechanisms in place. This allowed them to identify specific security controls and\r\ntailor their methods accordingly.\r\nNext, they deployed PowerRun.exe, a legitimate tool frequently abused for privilege escalation. By leveraging\r\nPowerRun.exe, the attackers attempted to execute high-privilege operations, aiming to disable or terminate security-related\r\nservices and processes.\r\nThroughout this phase, the group demonstrated a targeted approach, adapting their techniques to the particular security\r\nsolutions they encountered rather than relying solely on generic bypass methods.\r\nAfter gathering sufficient information, the threat actors introduced an enhanced version of their defense evasion tool,\r\nAllpatch2.exe. This tool was specifically customized to neutralize key security agent components by targeting and\r\nterminating relevant processes. Their ability to modify evasion strategies based on the victim environment’s defenses\r\nhighlights a high level of sophistication and adaptability.\r\nLateral Movement and Persistence\r\nThe threat actors leveraged PsExec for lateral movement, demonstrating proficiency in living-off-the-land techniques. They\r\nsystematically weakened security controls by modifying critical registry settings that govern authentication and remote\r\naccess protocols:\r\nreg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0 /v\r\nRestrictSendingNTLMTraffic /t REG_DWORD /d 0 /f\r\nreg add HKLM\\System\\CurrentControlSet\\Control\\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f\r\nhttps://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html\r\nPage 2 of 8\n\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v SecurityLayer /t\r\nREG_DWORD /d 1 /f\r\nTo maintain persistent command-and-control (C\u0026C) access, the threat actors relied on AnyDesk, creating a remote access\r\nchannel resilient to traditional incident response actions. They further expanded their situational awareness by downloading,\r\ninstalling and executing Nmap for comprehensive internal network scanning:\r\nDownloaded NMAP: C:\\Users\\fortigate\\Downloads\\nmap-7.97-setup.exe\r\nnmap -sV -T4 -O -F -oX C:\\Users\\FORTIG~1\\AppData\\Local\\Temp\\zenmap-7ii30x5l.xml --version-light \u003cIP\r\naddress\u003e\r\nCritically, the Nmap output path revealed the compromise of a FortiGate administrative account, with network scans\r\noriginating from this privileged context. This suggests the threat actors had compromised critical network security\r\ninfrastructure, potentially granting them extensive visibility and control over network traffic. Our investigation confirmed\r\nthat the FortiGate server was directly accessible from the internet, which likely served as the attackers' entry point into the\r\nnetwork.\r\nAdditional evidence further indicates the possible use of PuTTY for Secure Shell (SSH)-based lateral movement, though the\r\nfull scope of this tool's usage remains unclear.\r\nGroup Policy Manipulation\r\nWe’ve also observed the use of Group Policy Management Console (gpmc.msc) and Group Policy Management Editor\r\n(gpme.msc), likely as part of an attempt to deploy malicious configurations across the domain:\r\n\"C:\\Windows\\System32\\gpme.msc\" /s\r\n/gpobject:\"LDAP://\u003cREDACTED\u003e/cn\u003cREDACTED\u003e,cnpolicies,cnsystem,DC\u003cREDACTED\u003e,DClocal\"\r\n \r\nThe attacker also executed encoded PowerShell to identify critical domain infrastructure, with a particular focus on the\r\nPrimary Domain Controller for potential high-impact operations:\r\nC:\\Windows\\System32\\cmd.exe → /Q /c powershell.exe -noni -nop -w 1 -enc\r\nIAAoAEcAZQB0AC0AQQBEAEQAbwBtAGEAaQBuACkALgBQAEQAQwBFAG0AdQBsAGEAdABvAHIA 1\u003e\r\n\\Windows\\Temp\\UDaYsR 2\u003e\u00261\r\n→ (Get-ADDomain).PDCEmulator\r\nC:\\Windows\\System32\\cmd.exe → /Q /c powershell.exe -noni -nop -w 1 -enc\r\nIABHAGUAdAAtAEEARABEAG8AbQBhAGkAbgAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAAUABEAEMARQBtAHUA\r\n1\u003e \\Windows\\Temp\\IHQBeJ 2\u003e\u00261\r\n→ Get-ADDomain | Select-Object PDCEmulator\r\nThis level of Active Directory manipulation indicates preparation for domain-wide ransomware deployment or the\r\nestablishment of persistent backdoor installation through GPO abuse.\r\nCollection\r\nThe data staging portion of operation suggests what appears to be a methodical approach to information gathering. We found\r\nevidence suggesting possible data consolidation in C:\\ProgramData\\data, with hundreds of files being accessed. The\r\npresence of zone identifier streams could also indicate advanced collection methods, though alternative explanations cannot\r\nbe ruled out:\r\nC:\\programdata\\data\\\u003cREDACTED\u003e.pdf:zone.identifier:$data\r\n[approximately 100 similar files]\r\nWe observed several WebDAV connections to several internal resources throughout the compromise period. While these\r\nconnections could potentially indicate an alternative data collection mechanism or preparation for distributed exfiltration, we\r\nwould also like to note that WebDAV activity can also occur through legitimate business operations. Within the broader\r\ncontext of the compromise, however, these connections warrant scrutiny:\r\nC:\\Windows\\system32\\davclnt.dll,DavSetCookie \u003cIP Address\u003e http://\\\u003cREDACTED\u003e//\r\nC:\\Windows\\system32\\davclnt.dll,DavSetCookie \u003cIP Address\u003e http://\\\u003cREDACTED\u003e//share_EXT01\r\nC:\\Windows\\system32\\davclnt.dll,DavSetCookie \u003cIP Address\u003e http://\\\u003cREDACTED\u003e//c$\r\n[approximately 50 different local networks and shares]\r\nEven though the timing and volume of these activities align with typical data staging behaviors observed in ransomware\r\nattacks, we present this analysis with moderate confidence pending additional forensic validation.\r\nhttps://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html\r\nPage 3 of 8\n\nExfiltration\r\nData exfiltration was likely carried out through WinSCP, a legitimate file transfer tool commonly abused by threat actors for\r\nits reliability and encryption capabilities. Our telemetry shows the transfer of sensitive internal documentation:\r\nC:\\ProgramData\\data\\INTERNAL\\Summary\u003cREDACTED\u003e → \"C:\\ProgramData\\WinSCP.exe\"\r\n \r\nThe choice of WinSCP suggests the attackers prioritized operational security, using encrypted channels to avoid detection by\r\nnetwork monitoring solutions.\r\nImpact\r\nThe ransomware was deployed throughout the domain's NETLOGON share, ensuring widespread distribution across all\r\ndomain-joined systems. The payload was password-protected, likely to evade automated sandbox analysis:\r\n\\\\\u003cREDACTED\u003e.local\\NETLOGON\\\u003cREDACTED\u003e.exe --password \u003c8-byte key\u003e\r\n \r\nPrior to encryption, the built-in Windows Defender was neutralized through PowerShell commands:\r\nSet-MpPreference -DisableRealtimeMonitoring $true -Force\r\nAdd-MpPreference -ExclusionProcess \"C:\\Windows\\Temp\\\u003cREDACTED\u003e\"\r\nTo ensure persistent access for negotiation and additional extortion activities, the following firewall rules were modified:\r\nnetsh firewall set service type remotedesktop mode enable\r\n \r\nOverall, the campaign highlights the threat actors' understanding of enterprise security architectures, demonstrated through\r\nadaptive countermeasures specifically tailored to overcome deployed security solutions, systematic data theft for double\r\nextortion, and the eventual successful deployment of ransomware using domain administrator privileges for maximum\r\nimpact.\r\nRansomware analysis\r\nThe ransomware drops the following ransom note and appends the following extension:\r\nREADME-GENTLEMEN.txt - Ransom note containing victim ID and contact information\r\n.7mtzhh - File extension appended to each encrypted file\r\nIn terms of execution, the ransomware accepts specific parameters:\r\n--password (Required): 8-byte password parameter needed to execute the ransomware\r\n--path (Optional): Target path parameter for specifying custom encryption directory\r\nThe ransomware aggressively attempts to terminate key services commonly associated with backup, database, and security\r\nprocesses to maximize its impact:\r\nnet stop \u003cservice_name\u003e(.*)sql(.*), AcrSch2Svc, VSNAPVSS, MVarmor64, MVarmor, VeeamTransportSvc,\r\nVeeamDeploymentService, VeeamNFSSvc, AcronisAgent, QBIDPService, QBDBMgrN, QBCFMonitorService,\r\nOracleServiceORCL, MySQL, MSSQL, SAPHostExec, SAPHostControl, SAPD$, SAP$, postgresql, SAP, SAPService,\r\nGxFWD, GxVsshWProv, GXMMM, GxClMgr, MariaDB, GxCVD, GxClMgrS, GxVss, GxBlr, BackupExecRPCService,\r\nSQLAgent$SQLEXPRESS, BackupExecManagementService, BackupExecJobEngine, MSSQL$SQLEXPRESS,\r\nBackupExecDiveciMediaService, BackupExecAgentBrowser, SQLWriter, BackupExecAgentAccelerator,\r\nBackupExecVSSProvider, PDVFSService, SQLSERVERAGENT, WSBExchange, MSExchange\\$, MSExchange, sophos,\r\nmsexchange, docker, MSSQLSERVER, MSSQL*, Sql, vss, backup, veeam, memtas, mepocs, vmms\r\nFurther, the threat systematically terminates processes using the following commands:\r\ntaskkill /IM \u003cprocess_name\u003e.exe /FVeeam.EndPoint.Service.exe, mvdesktopservice.exe, VeeamDeploymentSvc.exe,\r\nVeeamTransportSvc.exe, VeeamNFSSvc.exe, EnterpriseClient.exe, DellSystemDetect.exe, avscc.exe, avagent.exe,\r\nsapstartsrv.exe, saposco.exe, saphostexec.exe, CVODS.exe, cvfwd.exe, cvd.exe, CVMountd.exe, tv_x64.exe, tv_w32.exe,\r\npgAdmin4.exe, TeamViewer.exe, TeamViewer_Service.exe, SAP.exe, QBCFMonitorService.exe, pgAdmin3.exe,\r\nQBDBMgrN.exe, QBIDPService.exe, CagService.exe, vsnapvss.exe, raw_agent_svc.exe, cbInterface.exe, \"Docker\r\nDesktop.exe\", beserver.exe, pvlsvr.exe, bengien.exe, benetns.exe, vxmon.exe, bedbh.exe, IperiusService.exe, sqlceip.exe,\r\nxfssvccon.exe, wordpad.exe, winword.exe, visio.exe, thunderbird.exe, thebat.exe, Iperius.exe, psql.exe, postgres.exe,\r\nhttps://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html\r\nPage 4 of 8\n\ntbirdconfig.exe, synctime.exe, steam.exe, sqbcoreservice.exe, powerpnt.exe, cbVSCService11.exe, postmaster.exe,\r\nmysqld.exe, outlook.exe, oracle.exe, onenote.exe, ocssd.exe, ocomm.exe, ocautoupds.exe, SQLAGENT.exe, sqlwriter.exe,\r\nnotepad.exe, mydesktopservice.exe, mydesktopqos.exe, mspub.exe, msaccess.exe, cbService.exe, sqlbrowser.exe, w3wp.exe,\r\nsql.exe, isqlplussvc.exe, infopath.exe, firefox.exe, excel.exe, encsvc.exe, Ssms.exe, DBeaver.exe, sqlservr.exe, dbsnmp.exe,\r\ndbeng50.exe, agntsvc.exe, vmcompute.exe, vmwp.exe, vmms.exe\r\nBeyond service and process termination, the ransomware executes additional commands to impede recovery and forensic\r\ninvestigation:\r\nDeletes the Recycle Bin content: cmd /C \"rd /s /q C:\\$Recycle.Bin\"\r\nDeletes Remote Desktop Protocol (RDP) log files: cmd /C \"del /f /q %SystemRoot%\\System32\\LogFiles\\RDP*\\*.*\"\r\nDeletes Windows Defender support files: cmd /C \"del /f /q C:\\ProgramData\\Microsoft\\Windows\r\nDefender\\Support\\*.*\"\r\nDeletes Prefetch files: cmd /C \"del /f /q C:\\Windows\\Prefetch\\*.*\"\r\nAdds C:\\ to Windows Defender exclusion path: powershell -Command \"Add-MpPreference -ExclusionPath C:\\ -\r\nForce\"\r\nAdds the {filename} of the ransomware to the Windows Defender exclusion process: powershell -Command \"Add-MpPreference -ExclusionProcess C:\\Users\\User\\Desktop\\{filename}.exe -Force\r\nDisables Windows Defender real-time monitoring: powershell -Command \"Set-MpPreference -\r\nDisableRealtimeMonitoring $true -Force\"\r\n    wevtutil cl Security\r\n    wevtutil cl Application\r\n    wevtutil cl System\r\n Deletes shadow copies:\r\n   wmic shadowcopy delete\r\n   vssadmin delete shadows /all /quiet\r\nFor final cleanup, the ransomware drops a batch script named after itself (e.g., {filename}.exe.bat). This script pings the\r\nlocal host for a brief delay, deletes the ransomware binary, and then deletes itself. This ensures comprehensive removal of its\r\nartifacts after the encryption routine is complete.\r\nConclusion\r\nThe Gentlemen ransomware campaign shows the rapid evolution of modern ransomware threats, blending advanced\r\ntechnical sophistication with persistent, targeted operations. This campaign is distinguished by its use of custom-built tools\r\nfor defense evasion, its ability to study and adapt to deployed security software, and its methodical abuse of both legitimate\r\nand vulnerable system components to subvert layered enterprise defenses. By tailoring their tactics against specific security\r\nvendors, The Gentlemen have demonstrated an acute awareness of their targets’ environments and a willingness to engage in\r\nin-depth reconnaissance and tool modification throughout the course of their operation.\r\nThe campaign’s impact on critical infrastructure and use of double extortion techniques underscores the significant risk this\r\nthreat actor poses to organizations. Their campaign illustrates the growing trend among ransomware operators to move\r\nbeyond “one-size-fits-all” methods and toward highly customized attacks, raising the bar for detection, prevention, and\r\nincident response.\r\nOrganizations are strongly advised to review their security posture, focusing on proactive threat hunting for group-specific\r\ntools, tactics, and procedures, the strengthening of endpoint and network protections, and the continuous refinement of\r\nincident response strategies. Particular attention should be given to monitoring for anomalous administrative activity, the\r\nabuse of legitimate tools for lateral movement and privilege escalation, and early indications of defense evasion efforts\r\ntargeting security solutions.\r\nDefending against the Gentlemen attacks\r\nGiven the group's exploitation of internet-facing infrastructure and VPN appliances, Zero Trust controls are essential for\r\npreventing initial access and limiting blast radius. Organizations must eliminate direct RDP exposure to the internet, enforce\r\nmulti-factor authentication for all administrative interfaces, and implement network segmentation between IT management\r\ntools and production systems. Enterprises should also implement virtual patching for known vulnerabilities in perimeter\r\ndevices, particularly VPN concentrators and firewalls that THE GENTLEMEN has been observed targeting.\r\nEssential access controls and monitoring include:\r\nRestricting domain controller share access and alerting on unauthorized NETLOGON modifications\r\nAuto-isolating devices showing indicators of driver-based attacks or anti-AV tool execution\r\nImplementing time-based access controls for privileged accounts with automatic de-escalation\r\nhttps://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html\r\nPage 5 of 8\n\nMonitoring for mass Active Directory queries and bulk group membership changes\r\nDeploying deception technologies on critical file shares to detect reconnaissance activities\r\nThe immediate priority is hardening endpoint security deployments against the group's documented process termination\r\ntechniques. Organizations using Trend solutions should enable Tamper Protection with Anti-exploit Protection to prevent\r\ncustom tools from terminating critical security processes. Additionally, password-protect agent uninstallation and activating\r\nAgent Self-Protection alongside Predictive Machine Learning in both pre-execution and runtime modes. These\r\nconfigurations specifically counter the group's attempts to disable security services before ransomware deployment.\r\nCritical endpoint controls should include:\r\nBlocking execution from temporary and user download directories where attack tools are typically staged\r\nMonitoring service stop commands targeting security processes and alerting on mass termination attempts\r\nImplementing application control to restrict unauthorized remote access tools (RDP clients, file transfer utilities)\r\nEnforcing driver signature verification and alerting on vulnerable driver loading attempts\r\nEnabling behavioral detection for privilege escalation and credential dumping activities\r\n \r\nObserved MITRE ATT\u0026CK tactics, techniques, and procedures\r\nTactic Technique Description\r\nTactic Technique Description\r\nInitial Access\r\nT1190 - Exploit Public-Facing Application\r\nCompromised FortiGate server and\r\nadmin account via Nmap\r\nT1078.002 - Valid Accounts: Domain Accounts Compromised domain accounts\r\nDiscovery\r\nT1046 - Network Service Discovery Nmap executed for service discovery\r\nT1018 - Remote System Discovery\r\nAdvanced IP Scanner used for network\r\nmapping\r\nT1087.002 - Account Discovery: Domain Account\r\nBatch script querying multiple domain\r\naccounts\r\nT1069.002 - Permission Groups Discovery: Domain\r\nGroups\r\nEnumeration of domain groups\r\nT1482 - Domain Trust Discovery\r\nPowerShell commands used to identify\r\nPDC\r\nExecution\r\nT1059.003 - Command and Scripting Interpreter:\r\nWindows Command Shell\r\nUsed cmd.exe to execute different\r\ncommands\r\nT1059.001 - Command and Scripting Interpreter:\r\nPowerShell\r\nPowerShell commands used to deploy\r\nanti-av and ransomware\r\nDefense\r\nEvasion\r\nT1562.001 - Impair Defenses: Disable or Modify Tools\r\nStopped security  services using Anti-AV tools\r\nT1014 - Rootkit\r\nDeployed vulnerable driver for process\r\ntermination\r\nT1112 - Modify Registry\r\nRegistry changes to weaken\r\nauthentication\r\nT1562.004 - Impair Defenses: Disable or Modify\r\nSystem Firewall\r\nModified firewall settings for RDP\r\naccess\r\nT1027 - Obfuscated Files or Information\r\nExecution of base64 encoded\r\nPowerShell commands\r\nPrivilege\r\nEscalation\r\nT1484.001 - Domain or Tenant Policy Modification:\r\nGroup Policy Modification\r\nGPO manipulation for domain-wide\r\nimpact\r\nPersistence T1219 - Remote Access Software Installed AnyDesk for remote access.\r\nhttps://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html\r\nPage 6 of 8\n\nT1112 - Modify Registry Registry changes for persistence\r\nLateral\r\nMovement\r\nT1021.002 - Remote Services: SMB/Windows Admin\r\nShares\r\nUsed PSExec for lateral movement\r\nT1021.001 - Remote Services: Remote Desktop\r\nProtocol\r\nEnabled RDP via registry modification\r\nT1021.004 - Remote Services: SSH Used PuTTY for SSH movement\r\nCollection\r\nT1074.001 - Data Staged: Local Data Staging Data staged in C:\\ProgramData\\data\r\nT1039 - Data from Network Shared Drive WebDAV connections to internal shares\r\nCommand and\r\nControl\r\nT1219 - Remote Access Software AnyDesk used for C\u0026C server\r\nT1071.001 - Application Layer Protocol: Web Protocols\r\nWebDAV used for C\u0026C server and data\r\nmovement\r\nExfiltration\r\nT1048.001 - Exfiltration Over Alternative Protocol:\r\nExfiltration Over Symmetric Encrypted Non-C2\r\nProtocol\r\nData exfiltrated using WinSCP\r\nImpact\r\nT1486 - Data Encrypted for Impact\r\nRansomware deployed via NETLOGON\r\nshare\r\nT1489 - Service Stop Termination of security services\r\nProactive security with Trend Vision One™\r\nTrend Vision One️™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure\r\nmanagement, security operations, and robust layered protection. This holistic approach helps enterprises predict and prevent\r\nthreats, accelerating proactive security outcomes across their respective digital estate. With Trend Vision One, you’re\r\nenabled to eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for\r\ninnovation.\r\nTrend Vision One™ Threat Intelligence\r\nTo stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insights, which provides the latest\r\ninsights from Trend™ Research on emerging threats and threat actors. \r\nTrend Vision One Threat Insights\r\nEmerging Threats:   Dressed to Encrypt: The Gentlemen's Tailored Ransomware Campaign\r\n \r\nTrend Vision One Intelligence Reports (IOC Sweeping) \r\nDressed to Encrypt: The Gentlemen's Tailored Ransomware Campaign\r\nHunting Queries \r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post\r\nwith data in their environment.    \r\neventSubId: 106 AND processCmd: /--password\\s+(\\w{8})\\b/ AND objectFilePath: .7mtzhh\r\neventSubId: 101 AND processCmd: /--password\\s+(\\w{8})\\b/ AND objectFilePath: README-GENTLEMEN.txt\r\nMore hunting queries are available for Trend Vision One customers with Threat Insights Entitlement enabled.\r\nIndicators of Compromise\r\nSHA1 Detection name Description\r\nc12c4d58541cc4f75ae19b65295a52c559570054 Ransom.Win64.GENTLEMAN.THHAIBE Ransomware\r\nc0979ec20b87084317d1bfa50405f7149c3b5c5f Trojan.Win64.KILLAV.THHBHBE Initial KILLAV\r\ndf249727c12741ca176d5f1ccba3ce188a546d28 Trojan.Win64.KILLAV.THHBHBE Patched KILLAV\r\nhttps://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html\r\nPage 7 of 8\n\ne00293ce0eb534874efd615ae590cf6aa3858ba4 HackTool.Win32.PowerRun.THHBHBE PowerRun\r\nSource: https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html\r\nhttps://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html" ], "report_names": [ "unmasking-the-gentlemen-ransomware.html" ], "threat_actors": [ { "id": "d513772b-a5ef-4e28-9e9d-d1c2bcd32737", "created_at": "2026-03-08T02:00:03.462729Z", "updated_at": "2026-04-10T02:00:03.97828Z", "deleted_at": null, "main_name": "The Gentlemen", "aliases": [], "source_name": "MISPGALAXY:The Gentlemen", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434567, "ts_updated_at": 1775791611, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a83dd5eaf3c18a7c17af3e60c4b23461dbc305fa.pdf", "text": "https://archive.orkl.eu/a83dd5eaf3c18a7c17af3e60c4b23461dbc305fa.txt", "img": "https://archive.orkl.eu/a83dd5eaf3c18a7c17af3e60c4b23461dbc305fa.jpg" } }