Gentlemen Ransomware: A Global Enterprise Disruption Campaign

Aegiron 11 mins0

1. Executive Summary

Gentlemen ransomware is a modern, enterprise-focused ransomware operation that emerged in August 2025 and rapidly expanded through December 2025. Despite its relatively recent appearance, the group demonstrates high technical maturity, disciplined operational security, and a clear focus on high-impact sectors.

The group operates a double-extortion model, combining data theft with system encryption, and shows advanced tradecraft such as:

  • Kernel-level defense evasion (BYOVD)
  • Password-protected ransomware execution
  • Domain-wide deployment via Group Policy Objects (GPO)
  • Targeted victim selection rather than opportunistic attacks

Gentlemen is not mass ransomware. It is deliberate, hands-on-keyboard intrusion ransomware aimed at environments where downtime is catastrophic.

2. Key Targets and Victim Profile

Industries most affected

Gentlemen ransomware consistently targets industries with:

  • High operational downtime costs
  • Centralized IT/OT infrastructure
  • Sensitive or regulated data

Primary sectors impacted:

  • Manufacturing
  • Healthcare
  • Construction
  • Insurance
  • Energy and industrial services
  • IT services and technology providers
  • Secondary exposure in finance, education, and nonprofit sectors

Manufacturing and healthcare are the most heavily targeted, likely due to pressure to restore operations quickly.

Geographic distribution

Confirmed incidents span at least 17 countries, indicating a global campaign with no geographic preference:

  • Asia-Pacific
  • North America
  • South America
  • Middle East
  • Europe
  • Africa

No single country dominates, reinforcing that network size and business impact, not location, drive targeting.

Confirmed victims (publicly observed)

OrganizationIndustryCountry
Proplastics LtdManufacturingZimbabwe
Shifa HospitalHealthcareOman
Santa Rita Clinical LaboratoryHealthcareCosta Rica
Grupo HalcónManufacturingSpain
Kuwait Portland Cement Co.ManufacturingKuwait
Location Peintures PrestationsConstructionFrance
Saelen / HeizomatEnergy & ConstructionFrance
Oriental de SegurosInsurancePanama
Surtel Technologies PvtIT ServicesIndia
JN AcerosManufacturingPeru

These victims reflect enterprise-scale operations, often with centralized Active Directory and shared infrastructure.

3. Initial Access – How Gentlemen Breaks In

Primary entry vectors

Gentlemen operators typically gain initial access through internet-facing services, most commonly:

  • Vulnerable or misconfigured FortiGate firewalls
  • Exposed VPN portals
  • Open administrative interfaces
  • Compromised domain or admin credentials

In several cases, attackers logged in using legitimate credentials, suggesting:

  • Credential theft
  • Password reuse
  • Purchased access from initial access brokers
  • Phishing campaigns upstream of the intrusion

Immediate post-entry behavior

Once inside, attackers quickly validate access by:

  • Running network reconnaissance
  • Launching scans using:
    • Advanced IP Scanner
    • Nmap
  • Enumerating reachable systems, services, and domain controllers

This reconnaissance is intentional and methodical, not automated noise.

4. Internal Reconnaissance and Expansion

After confirming access, attackers perform:

  • Active Directory enumeration:
    • Users
    • Groups
    • Domain admins
  • Identification of:
    • File servers
    • Backup systems
    • Security tooling
    • OT/ICS-adjacent systems (in manufacturing)

This stage may last days or weeks, allowing full mapping of the environment before action.

5. Privilege Escalation and Defense Evasion

Bring Your Own Vulnerable Driver (BYOVD)

Gentlemen uses a signed but vulnerable Windows kernel driver to gain kernel-level control:

  • Driver observed: ThrottleBlood.sys
  • Loaded from non-standard paths
  • Allows termination of protected processes

This technique enables attackers to:

  • Kill antivirus and EDR agents
  • Bypass tamper protection
  • Prevent security tools from restarting

Kernel-level evasion is a hallmark of advanced ransomware groups.

Additional security neutralization

Attackers also:

  • Disable Windows Defender real-time protection
  • Add Defender exclusions for malicious binaries
  • Stop backup software (including enterprise backup platforms)
  • Shut down databases:
    • MSSQL
    • MongoDB
  • Clear Windows event logs
  • Delete volume shadow copies

These steps maximize damage and limit forensic visibility.

6. Lateral Movement and Deployment

With elevated privileges, attackers spread laterally using:

  • Built-in Windows admin tools
  • Remote execution
  • Compromised domain admin accounts
  • Group Policy Objects (GPOs) for mass deployment

GPO abuse allows simultaneous ransomware execution across hundreds of systems, including servers and workstations.

7. Payload and Encryptor – Technical Breakdown

General characteristics

  • Language: Go (Golang)
  • Execution method: Command-line
  • Execution safeguard: Requires a correct password to run

This password requirement:

  • Prevents accidental detonation
  • Avoids sandbox execution
  • Limits analysis by defenders

Execution behavior

On launch, the ransomware:

  1. Validates the supplied password
  2. Enumerates all accessible drives using PowerShell
  3. Terminates security, backup, and database services
  4. Begins encryption

Encryption logic

  • Key exchange: X25519
  • Encryption algorithm: XChaCha20
  • Key handling: Unique per file
  • Small files (<1MB): Fully encrypted
  • Large files: Partial encryption (approx. 1–9%) for speed

Temporary encryption keys are discarded after use, making recovery impossible without the attacker’s private key.

User-facing impact

  • Files renamed with extensions such as:
    • .7mtzhh
    • .gentlemen
  • Ransom note dropped:
    • README-GENTLEMEN.txt
  • Desktop wallpaper replaced with a warning screen

The note:

  • Offers free decryption of two files as proof
  • Threatens public data release on dark web sites

8. Data Exfiltration and Extortion

Before encryption, attackers:

  • Stage sensitive data
  • Compress and prepare it
  • Exfiltrate via encrypted channels

Tools and methods observed:

  • WinSCP
  • SFTP / SSH
  • AnyDesk (persistence and access)

Stolen data is later used for:

  • Extortion pressure
  • Leak site publication
  • Secondary monetization

9. Impact on Organizations

Operational impact

  • Factory production lines halt
  • Healthcare systems become unavailable
  • OT and ICS systems may go offline
  • Employees lose access to core business systems

Business risk

  • Regulatory exposure
  • Data privacy violations
  • Reputational damage
  • Prolonged recovery timelines

Without clean offline backups, recovery often requires full system rebuilds.

10. Indicators of Compromise (IOCs)

File and artifact indicators

  • README-GENTLEMEN.txt
  • Encrypted files with .7mtzhh or .gentlemen
  • ThrottleBlood.sys
  • All.exe
  • Allpatch2.exe
  • PowerRun.exe
  • WinSCP binaries in unusual locations
  • Advanced IP Scanner
  • Nmap binaries or scans

Command-line and behavioral indicators

Ransomware execution flags

  • --password
  • --path
  • --system

Defender tampering

Set-MpPreference -DisableRealtimeMonitoring $true
Add-MpPreference -ExclusionProcess <path>

Drive enumeration

Get-PSDrive

Log clearing

wevtutil cl Security
wevtutil cl System
wevtutil cl Application

Backup destruction

vssadmin delete shadows /all /quiet
wmic shadowcopy delete

Active Directory abuse

  • net user
  • Bulk group modifications
  • Domain admin enumeration

Hash-based indicators (examples)

  • c12c4d58541cc4f75ae19b65295a52c559570054
  • c0979ec20b87084317d1bfa50405f7149c3b5c5f
  • df249727c12741ca176d5f1ccba3ce188a546d28
  • e00293ce0eb534874efd615ae590cf6aa3858ba4
  • adf675ffc1acb357f2d9f1a94e016f52
  • a88daa62751c212b7579a57f1f4ae8f8

Network indicators

  • Large outbound encrypted transfers
  • SFTP/SSH traffic from internal servers
  • Exfiltration IP observed:
    • 104.86.182[.]8

11. Detection and Threat Hunting Guidance

High-confidence alerts

  • Defender disabled across multiple hosts
  • Kernel driver loaded from user directories
  • Sudden mass execution of wevtutil or vssadmin
  • Execution of All.exe or Allpatch2.exe
  • Ransom note creation
  • Rapid file renaming activity

EDR hunting focus

Hunt for:

  1. BYOVD driver loads
  2. Admin tools executed from temp/download folders
  3. SFTP/WinSCP activity from servers
  4. AD enumeration outside admin workflows
  5. GPO changes shortly before encryption

12. Immediate Mitigation Steps

  • Patch FortiGate and edge services immediately
  • Enforce MFA on all remote and admin access
  • Restrict kernel driver loading
  • Monitor and lock down GPO changes
  • Segment networks, especially OT and production
  • Keep offline, immutable backups
  • Block recon tools and unauthorized remote software

13. Final Takeaway

Gentlemen ransomware is a highly capable, enterprise-grade threat actor employing modern intrusion techniques and disciplined operations. Its use of kernel-level evasion, controlled encryption logic, and targeted victim selection places it among serious ransomware operators, not opportunistic criminals.

Organizations with exposed remote access, weak identity controls, or flat networks are at significant risk.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.