Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Compromised FortiGate server and admin account via Nmap and exposed FortiGate (“Compromised FortiGate server and admin account via Nmap”).
• [T1078.002] Valid Accounts: Domain Accounts – Use of compromised domain accounts for domain-wide actions (“Compromised domain accounts”).
• [T1046] Network Service Discovery – Nmap executed for service discovery (“Nmap executed for service discovery”).
• [T1018] Remote System Discovery – Advanced IP Scanner used for network mapping (“Advanced IP Scanner used for network mapping”).
• [T1087.002] Account Discovery: Domain Account – Batch script 1.bat queried numerous domain user accounts (“Batch script querying multiple domain accounts”).
• [T1069.002] Permission Groups Discovery: Domain Groups – Enumeration of domain groups and local admin/virtualization groups (“Enumeration of domain groups”).
• [T1482] Domain Trust Discovery – PowerShell used to identify the PDC emulator (“(Get-ADDomain).PDCEmulator” and “Get-ADDomain | Select-Object PDCEmulator”).
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Use of cmd.exe to run commands and scripts (“Used cmd.exe to execute different commands”).
• [T1059.001] Command and Scripting Interpreter: PowerShell – Encoded and direct PowerShell used to deploy anti-AV and ransomware (“PowerShell commands used to deploy anti-av and ransomware”).
• [T1562.001] Impair Defenses: Disable or Modify Tools – Stopped security services using anti-AV tools and custom utilities (“Stopped security services using Anti-AV tools”).
• [T1014] Rootkit – Deployed a vulnerable signed driver for kernel-level process termination (“Deployed vulnerable driver for process termination”).
• [T1112] Modify Registry – Registry changes to weaken authentication, enable RDP, and persist (“Registry changes to weaken authentication”).
• [T1562.004] Impair Defenses: Disable or Modify System Firewall – Modified firewall settings to enable RDP remote access (“Modified firewall settings for RDP access”).
• [T1027] Obfuscated Files or Information – Execution of Base64-encoded PowerShell commands (“Execution of base64 encoded PowerShell commands”).
• [T1484.001] Domain or Tenant Policy Modification: Group Policy Modification – Use of GPMC/GPME and encoded PowerShell to deploy domain policies (“GPO manipulation for domain-wide impact”).
• [T1219] Remote Access Software – Installed and used AnyDesk for persistent remote access and C2 (“Installed AnyDesk for remote access.”).
• [T1021.002] Remote Services: SMB/Windows Admin Shares – Used PsExec and NETLOGON share for lateral movement and ransomware deployment (“Used PSExec for lateral movement” and “Ransomware deployed via NETLOGON share”).
• [T1021.001] Remote Services: Remote Desktop Protocol – Enabled RDP via registry modification (“Enabled RDP via registry modification”).
• [T1021.004] Remote Services: SSH – Possible use of PuTTY for SSH-based lateral movement (“Used PuTTY for SSH movement”).
• [T1074.001] Data Staged: Local Data Staging – Data staged in C:ProgramDatadata during collection (“Data staged in C:ProgramDatadata”).
• [T1039] Data from Network Shared Drive – WebDAV connections observed to internal shares (“WebDAV connections to internal shares”).
• [T1071.001] Application Layer Protocol: Web Protocols – WebDAV used for C2 and data movement (“WebDAV used for C&C server and data movement”).
• [T1048.001] Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol – Data exfiltrated using WinSCP (“Data exfiltrated using WinSCP”).
• [T1486] Data Encrypted for Impact – Ransomware encryption deployed across domain with .7mtzhh extension and README-GENTLEMEN.txt (“Ransomware deployed via NETLOGON share”).
• [T1489] Service Stop – Termination of many backup, database, and security services to maximize impact (“Termination of security services”).