Threat Research

Emulating the Gentlemen Ransomware

AttackIQ
Emulating the Gentlemen Ransomware
The Gentlemen is a ransomware and data extortion group active since July 2025 that uses double extortion, dedicated leak sites, and mature tradecraft such as GPO abuse, encrypted exfiltration, and defense evasion. AttackIQ released emulations of its TTPs to help organizations validate detection and prevention against the group’s Windows, Linux, and ESXi-focused operations. #TheGentlemen #AttackIQ #WinSCP

Keypoints

  • The Gentlemen has been active since July 2025 and operates as a ransomware and data extortion group.
  • It uses a double-extortion model, combining file encryption with data theft and a leak site to pressure victims.
  • The group shows advanced tradecraft, including reconnaissance, GPO abuse, and encrypted exfiltration through tools like WinSCP.
  • Its ransomware targets Windows, Linux, and ESXi environments, and the Windows version is written in Go with a hardcoded plaintext password.
  • The group uses defense evasion methods such as disabling Microsoft Defender, deleting shadow copies, and abusing legitimate drivers.
  • AttackIQ published two emulations to reproduce The Gentlemen’s TTPs and help customers test security controls and response readiness.
  • The activity has particularly affected manufacturing, construction, healthcare, and insurance sectors in Asia-Pacific and South America.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – The sample is downloaded to memory and saved to disk to test delivery controls. [‘is first downloaded to memory and then saved to disk’]
  • [T1082] System Information Discovery – The malware gathers system details with GetSystemInfo and WMI to profile the host. [‘retrieve system information’ / ‘gathering system details’]
  • [T1053.005] Scheduled Task – Persistence is created by making a scheduled task that runs at startup. [‘A Scheduled Task is created to execute at system startup’]
  • [T1547.001] Registry Run Keys / Startup Folder – Persistence is established by adding a Run registry key entry. [‘A Registry Run key is added for user-level persistence’]
  • [T1543.003] Create or Modify System Process – A new service is created with sc.exe to maintain persistence. [‘a new service is created’]
  • [T1562.001] Impair Defenses – Windows Defender real-time monitoring is disabled and exclusions are added. [‘turns off Microsoft Defender real-time monitoring’ / ‘adds exclusions’]
  • [T1686] Remote Services: Windows Management Instrumentation / Firewall Rule Group Manipulation – Firewall rule groups are enabled to improve network communication. [‘enables Network Discovery firewall rules’]
  • [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell is used to import modules and run administrative commands. [‘imports the ServerManager module via PowerShell’]
  • [T1482] Domain Trust Discovery – Active Directory domain information is queried to understand the environment. [‘query domain information using Get-ADDomain’]
  • [T1018] Remote System Discovery – Domain-joined computers are enumerated for later movement. [‘enumerates domain-joined computers’]
  • [T1021] Remote Services: SMB/Windows Admin Shares – A network share is created for access and propagation. [‘creates a network share with full access for all users’]
  • [T1222.001] File and Directory Permissions Modification – icacls is used to grant Full rights and weaken access controls. [‘grant explicit Full (F) rights’]
  • [T1135] Network Share Discovery / LanmanServer Configuration Manipulation – Registry settings are changed to enable anonymous access to a share. [‘modify the registry value NullSessionShares’]
  • [T1556.009] Modify Authentication Process: Network Account Discovery or Anonymous Logon – Anonymous logon settings are weakened through registry changes. [‘enable anonymous logons to the Everyone group’ / ‘reduce restrictions on anonymous logons’]
  • [T1047] Windows Management Instrumentation – WMI is used to create and run a process on a remote system. [‘execute a binary by creating a process using Windows Management Instrumentation’]
  • [T1120] Peripheral Device Discovery / File System Discovery via Drives – Drives are listed to identify accessible storage. [‘list all the data drives from the host’]
  • [T1685] SMB/OS Credential Relay and SMBv1 Enablement – Deprecated SMBv1 support is enabled for legacy communication. [‘enable support for the deprecated SMBv1 protocol’]
  • [T1049] System Network Configuration Discovery – Network resources are enumerated from the local computer. [‘enumerate network resources from the local computer’]
  • [T1083] File and Directory Discovery – Files and directories are enumerated with FindFirstFileW/FindNextFileW. [‘enumerate the file system’]
  • [T1490] Inhibit System Recovery – Volume shadow copies are deleted to block recovery. [‘delete a Volume Shadow Copy’]
  • [T1070.001] Clear Windows Event Logs – Event logs are erased to remove traces. [‘clear event logs from the system’]
  • [T1486] Data Encrypted for Impact – Files are encrypted in place using XChaCha20 and Curve25519. [‘encrypts files’ / ‘encrypted in place’]
  • [T1112] Modify Registry – Registry keys are changed to weaken NTLM and RDP security settings. [‘set the RestrictSendingNTLMTraffic registry value to 0’]
  • [T1069] Permission Groups Discovery: Local Groups – Local administrator groups are enumerated. [‘enumerate a local permission group’]
  • [T1087.001] Account Discovery: Local Account – User accounts are enumerated with net user. [‘enumerate available accounts on the system’]
  • [T1087.002] Domain Account Discovery: Domain Groups – Domain administrator accounts are listed with net group. [‘list domain administrator accounts’]
  • [T1082] System Information Discovery – Systeminfo and query session are used to collect host and session details. [‘collect information about the compromised system’]
  • [T1033] System Owner/User Discovery – whoami is used to identify the current user. [‘receive details of the running user account’]
  • [T1057] Process Discovery – Running processes are enumerated with tasklist. [‘enumerates processes running on the target asset’]

Indicators of Compromise

  • [File Hashes] Malware samples used in the assessments – SHA256 3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235, SHA256 4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71, and SHA256 7a311b584497e8133cd85950fec6132904dd5b02388a9feed3f5e057fb891d09
  • [Registry Keys/Values] Persistence, anonymous access, and defense evasion settings – HKLMSoftwareMicrosoftWindowsCurrentVersionRun, HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParametersNullSessionShares, and HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaEveryoneIncludesAnonymous
  • [File/Directory Paths] Defender exclusion and temporary paths – %TEMP%aiq-temp-exclusion and C:
  • [Command-Line Tools] Tools used for persistence, discovery, and impact – schtasks, sc.exe, wmic.exe, vssadmin.exe, wevtutil.exe, and net.exe
  • [Windows APIs] API functions used for discovery and encryption workflow – GetSystemInfo, GetVolumeNameForVolumeMountPointA, WNetOpenEnumW, FindFirstFileW, and FindNextFileW

Read more: https://www.attackiq.com/2026/05/22/gentlemen-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint