Quickly Contain & Restore: 24/7 Expert Incident Response for "The Gentlemen" Attacks.

Advanced Defense Evasion Capabilities

The group prioritizes understanding and neutralizing a victim’s existing security solutions, adapting its methods mid-campaign.

Customized Anti-AV Tooling: The attackers conduct detailed reconnaissance on endpoint protection mechanisms before deploying their methods.

They initially deployed All.exe combined with the legitimate signed driver ThrottleBlood.sys to exploit a vulnerability that allowed them to perform kernel-level process termination of protected security software.

Later, they introduced Allpatch2.exe, a custom tool specifically designed to neutralize and kill security agent processes, demonstrating their ability to tailor tools to the victim’s environment.

They use PowerRun.exe for privilege escalation, which allows them to attempt to disable or terminate security-related services and processes.

Impairing Defenses via PowerShell: They execute PowerShell commands, often encoded or remotely executed, to undermine local security measures. This includes:

Disabling Windows Defender real-time protection (Set-MpPreference -DisableRealtimeMonitoring $true).

Adding global exclusions for the entire C:\ drive and the ransomware executable process to prevent detection before encryption.

Targeted Service Termination: The ransomware includes a built-in “kill list” that aggressively stops critical processes and services before encryption. This maximizes impact by ensuring no files are in use or protected by database engines, virtualization software (vmms), or backup utilities (like Veeam, MSSQL, or PostgreSQL).

Stealth Execution Modes: The ransomware supports a silent mode (-silent) for Linux and Windows variants, which enables stealth execution and, for Linux, preserves file modification dates, complicating forensic reconstruction.

Dual-Operation Encryption: The ransomware can operate in modes that support both local disk encryption and network-wide encryption from the same session. The encryption speeds are configurable (e.g., –fast, –superfast, –ultrafast), allowing operators to balance speed against stealth.

Password-Protected Deployment: The final ransomware payload is deployed with a required 8-byte password parameter, likely to evade automated sandbox analysis and delay detection.

Domain Compromise and Persistence Techniques

The group uses living-off-the-land techniques and domain-specific tools to achieve wide-ranging control and persistence.

Initial Access via Exposed Services: Initial access is often achieved by exploiting internet-facing services or using compromised credentials. In one observed case, a compromised FortiGate server administrative account was used as the entry point.

Network Reconnaissance and Privilege Discovery:

They use tools like Advanced IP Scanner and Nmap to map network infrastructure, identify valuable targets, and perform comprehensive internal network scanning.

They execute a batch script (1.bat) to perform mass account enumeration, specifically querying domain administrators, enterprise administrators, and virtualization-related groups (like VMware and itgateadmin), signaling preparation for hybrid environment attacks.

They use PowerShell commands to identify critical domain components, focusing on the Primary Domain Controller (PDC) Emulator.

Group Policy Abuse (GPO): The attackers use the Group Policy Management Console (gpmc.msc) and Editor (gpme.msc) to manage applications. This GPO manipulation is performed to potentially deploy malicious configurations domain-wide.

Weakening Authentication and Remote Access: They modify critical registry settings (e.g., under HKLM\SYSTEM\CurrentControlSet\Control\Lsa) to weaken authentication protocols (like NTLM traffic restrictions) and modify remote access settings, such as enabling Remote Desktop Protocol (RDP). They also use icacls commands to modify file permissions, granting full control to the Everyone group on targeted folders to ensure access before encryption.

Lateral Movement and Propagation: The group uses multiple mechanisms to spread across the network:

PsExec for lateral movement.

Windows Management Instrumentation (WMI), SCHTASKS (Scheduled Tasks), SC (Service Control), and PowerShell Remoting to propagate the ransomware across the network and domain.

Remote process creation using the WMI Win32_Process class to execute commands on remote machines.

Persistent Remote Access: They establish persistence by installing and relying on legitimate remote access tools like AnyDesk for resilient command-and-control (C&C) access. They also achieve persistence using automatic self-restart and run-on-boot features implemented via schtasks and registry entries (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run).

Data Exfiltration over Encrypted Channels: For dual-extortion tactics, they exfiltrate sensitive data using WinSCP, a legitimate file transfer tool that operates over encrypted channels to avoid network detection.

Anti-Forensics Measures

To obstruct post-incident investigation, The Gentlemen systematically remove forensic traces:

Log and Artifact Deletion: They delete Windows Defender support files, Remote Desktop Protocol (RDP) artifacts, and Windows Prefetch files.

System Recovery Inhibition: They delete shadow copies using wmic shadowcopy delete and vssadmin delete shadows /all /quiet to inhibit system recovery.

Event Log Clearing: They clear Windows Event Logs (Security, Application, System) using wevtutil cl commands.

Self-Destruction: In a final cleanup stage, they drop a self-named script that executes a brief delay, deletes the ransomware binary, and then removes the script itself, ensuring comprehensive cleanup after encryption is complete.

The group’s methodology—combining detailed reconnaissance, customized anti-AV payloads, and the abuse of domain administrative tools—allows them to operate like a highly specialized, adaptive “software organization” that actively neutralizes defenses and systematically gains control over the victim’s domain infrastructure. This level of preparation and adaptation makes detection and response significantly more challenging.