The Gentlemen Ransomware

MITRE Techniques

• [T1059.001] Command and Scripting Interpreter – PowerShell commands executed remotely via Invoke-Command to disable Defender and add exclusions: “Invoke-Command -ComputerName %s -ScriptBlock { Set-MpPreference -DisableRealtimeMonitoring $true; Add-MpPreference -ExclusionPath ‘C:’; Add-MpPreference -ExclusionProcess ‘%s’ }”
• [T1569.002] System Services: Service Execution – Uses schtasks and SC (Service Control) to schedule and control execution and propagation across systems (“Implements automatic self-restart at run-on-boot, leveraging schtasks and registry entries.”)
• [T1547.001] Registry Run Keys / Startup Folder – Writes to HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun and HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun for persistence (registry autorun locations referenced).
• [T1070.004] Indicator Removal on Host: File Deletion – Executes commands to delete logs and telemetry such as prefetch and Defender support files (“del /f /q %SystemRoot%System32LogFilesRDP**.* del /f /q C:ProgramDataMicrosoftWindows DefenderSupport*.* del /f /q C:WindowsPrefetch*.*”).
• [T1070.001] Indicator Removal on Host: Clear Windows Event Logs – Anti‑forensics actions include clearing or removing system artifacts to hinder investigation (“These commands are explicit anti-forensics actions that erase evidence of interactive access…”).
• [T1562.001] Impair Defenses: Disable or Modify Security Tools – Disables Defender real‑time monitoring and adds exclusions via Set‑MpPreference/Add‑MpPreference (“Set-MpPreference -DisableRealtimeMonitoring $true; Add-MpPreference -ExclusionPath ‘C:’”).
• [T1222] File and Directory Permissions Modification – Uses icacls to change permissions, granting Everyone full control to support wide access (“icacls /grant *S-1-1-0:(OI)(CI)F”).
• [T1218] System Binary Proxy Execution – Leverages trusted utilities and system binaries for execution and tasks (use of SCHTASKS, SC, WMI, and PowerShell remoting described in propagation/persistence features).
• [T1083] File and Directory Discovery – Enumerates volumes and cluster shared volumes to identify targets before encryption (“$volumes+=Get-WmiObject -Class Win32_Volume|Where-Object{$_.Name -like ‘*:*’}…Get-ClusterSharedVolume”).
• [T1135] Network Share Discovery – Maps and enumerates network shares/UNC paths for encryption and lateral movement (supports –shares and maps shares / UNC in options).
• [T1018] Remote System Discovery – Uses WMI and remote process creation to discover and execute on remote hosts (“$p = [WMICLASS]”%srootcimv2:Win32_Process”; $p.Create(“%s”)”).
• [T1047] Windows Management Instrumentation (WMI) – Employs WMI for process creation and lateral movement across hosts (“$p = [WMICLASS]”%srootcimv2:Win32_Process”; $p.Create(“%s”)”).
• [T1021.002] Remote Services: SMB/Windows Admin Shares – Propagates via SMB and admin shares to spread to other systems and access network paths (flags and behavior support mapping shares and encrypting UNC paths).
• [T1486] Data Encrypted for Impact – Encrypts local and network drives, removable drives, and ESXi instances to render data inaccessible and maximize impact (encryption of local disks, mapped drives, and ESXi servers described).
• [T1489] Service Stop – Contains a kill list to stop backup, DB, and virtualization services prior to encryption (processes like sqlservr, veeam, vmms targeted for stop/killing).
• [T1490] Inhibit System Recovery – Uses wipe-after free space wiping and shadow copy protection evasion to prevent recovery (“wipe-after mechanism to securely remove free disk space after encryption” and recommendations to enable shadow copy protection imply evasion).