Full Report
Cybereason Threat Intelligence Team recently conducted an analysis of "The Gentlemen" ransomware group, which emerged around July 2025 as a ransomware threat actor group with relatively advanced methodologies. The Gentlemen group employs a dual-extortion strategy, not only encrypting sensitive files but also exfiltrating critical business data and threatening to publish it on dark web leak sites unless a ransom is paid. The group has demonstrated a unique approach by combining established ransomware techniques with newer strategies, making them quick to adapt to new attack vectors, allowing them to remain a persistent to evolving threat to organizations worldwide.
Analysis Summary
# Threat Actor: The Gentlemen
## Attribution & Identity
* **Identification:** Ransomware threat actor group analyzed by the Cybereason Threat Intelligence Team.
* **Aliases/Associated Groups:** None explicitly mentioned, though they experimented with affiliate models used by other prominent ransomware groups before launching their own RaaS.
## Activity Summary
* **Emergence:** Active around July 2025.
* **Initial Campaign Data:** Began publishing victim data on their dark web leak site in September and October 2025 (48 victims noted).
* **Operational Model:** Operates as a Ransomware-as-a-Service (RaaS) solution, offering highly configurable features for affiliates.
* **Historical Growth:** Previously experimented with various affiliate models before developing their own RaaS platform.
## Tactics, Techniques & Procedures
The group employs advanced **Dual-Extortion** tactics: encrypting data and exfiltrating critical business information with threats of public release. They demonstrate quick adaptation by combining established and newer strategies.
* **Execution:**
* T1059.001 – Command and Scripting Interpreter: PowerShell
* T1569.002 – System Services: Service Execution
* **Persistence:**
* T1547.001 – Registry Run Keys / Startup Folder (Windows)
* Automatic self-restart at run-on-boot (Windows & Linux autostart via system-level mechanisms).
* Leverages `schtasks` for persistence.
* **Defense Evasion:**
* T1070.004 – Indicator Removal on Host: File Deletion
* T1070.001 – Indicator Removal on Host: Clear Windows Event Logs
* T1562 – Impair Defenses
* T1562.001 – Impair Defenses: Disable or Modify Security Tools
* T1222 – File and Directory Permissions Modification
* T1218 – System Binary Proxy Execution (using trusted Windows utilities like `vssadmin`, `wevtutil`, and `taskkill`).
* **Discovery:**
* T1083 – File and Directory Discovery
* T1135 – Network Share Discovery
* T1018 – Remote System Discovery
* **Lateral Movement:**
* T1047 – Windows Management Instrumentation (WMI)
* T1021.002 – Remote Services: SMB/Windows Admin Shares
* **Impact:**
* T1486 – Data Encrypted for Impact
* T1489 – Service Stop
* T1490 – Inhibit System Recovery (Uses a "wipe-after" mechanism to securely remove free disk space after encryption).
**Specific Ransomware Enhancements:**
* Supports flexible encryption speeds and propagation via WMI, PowerShell Remoting, and SC (Service Control).
* Targets local disks, network-shared drives, removable drives, and mapped drives.
* Preserves original file modification dates.
* Linux variants include privilege escalation capability (user to root) and silent mode (`-silent`).
* ESXi variants optimized for encrypting clustered hosts, including vSAN storage.
## Targeting
* **Sectors:** Global organizations (General targeting implied by persistence and scope).
* **Geography:** Worldwide.
* **Victims:** The group has publicly listed 48 victims on their dark web leak site as of late 2025. No specific organization names were provided in the context.
## Tools & Infrastructure
* **Malware Families Used:** The Gentlemen Ransomware (Win/Linux/ESXi locker variants).
* **Infrastructure:** Promoted via cybercrime forums as a RaaS.
## Implications
The Gentlemen represent an **evolving and persistent threat** due to their advanced methodologies and quick adaptation to new attack vectors. Their RaaS model suggests an intent to scale operations through affiliates. The technical sophistication, demonstrated by persistence mechanisms (self-restart), stealth execution, and specialized optimization for ESXi environments, positions them as a high-tier threat actor targeting comprehensive infrastructure, including virtual environments.
## Mitigations
* Keep systems fully patched to mitigate known vulnerabilities.
* Immediately involve Incident Response services upon detection of nefarious activity for thorough investigation and containment.
* **Endpoint Defense Configuration (Cybereason Specific):**
* Enable Anti-Malware and set the mode to Prevent, Quarantine, or Disinfect.
* Enable Anti-Ransomware (PRP) and set to Quarantine mode, ensuring shadow copy protection is enabled.
* Enable Application Control.
* Enable Variant Payload Prevention with Prevent mode on Behavioral execution prevention.