Full Report
The Huntress SOC recently came across two incidents involving The Gentlemen ransomware, an operation that first emerged in mid-2025 and has been very active since then, with Ransomware.live showing claims of over 400 victims across at least 70 countries. One intriguing aspect of previous The Gentlemen incidents is the defense evasion strategy used by threat actors that have deployed the ransomware. According to a Trend Micro report, threat actors have used custom-built defense evasion tools and capabilities to disable security solutions in The Gentlemen attacks. A more recent leak of the operation’s internal database, in early May, further revealed its operators relying on a group of tools dedicated to security tool evasion, and techniques for abusing Windows logging. The Gentlemen is a RaaS operation, meaning that it can be distributed in attacks by affiliates, and as such, the observed attack chains will very often differ between attacks. Our investigation into the two incidents where The Gentlemen was deployed revealed several commonalities in TTPs, including the use of Scheduled Tasks and PowerShell. We did also see some basic defense evasion tactics: in both incidents, the Security, System, and Application Event Logs were cleared, although curiously other Windows Event Logs were untouched. The threat actors in these incidents also tried to evade antivirus solutions after their first attempt to deploy the encryptor was blocked.
Analysis Summary
# Incident Report: The Gentlemen Ransomware Defense Evasion Tactics
## Executive Summary
In April and May 2026, the Huntress SOC investigated two ransomware incidents linked to "The Gentlemen" RaaS operation. The threat actors utilized significant defense evasion techniques, including clearing Windows Event Logs and attempting to disable antivirus software via PowerShell. While the attacks were part of a wide-scale operation with over 400 victims globally, these specific incidents highlighted the use of Scheduled Tasks and PowerShell for persistence and deployment.
## Incident Details
- **Discovery Date:** April and May 2026
- **Incident Date:** Various dates across April and May 2026
- **Affected Organization:** Not Disclosed
- **Sector:** Various (Global operation impacting 70+ countries)
- **Geography:** International scope
## Timeline of Events
### Initial Access
- **Date/Time:** April 2026 (Incident 1); May 2026 (Incident 2)
- **Vector:** Exploitation of edge appliances and specific CVEs.
- **Details:** Evidence suggests the use of CVE-2024-55591 (Fortinet authentication bypass) as a primary entry point for this group.
### Lateral Movement
- **Method:** Use of Group Policy Objects (GPOs) to enable domain-wide attacks and the abuse of legitimate Remote Access tools like AnyDesk.
### Data Exfiltration/Impact
- **Impact:** Encryption of files following failed initial attempts; destruction of system logs to hinder forensics.
### Detection & Response
- **Discovery:** Detection occurred post-infection when Huntress agents were deployed to investigate established ransomware activity.
- **Response:** Forensic analysis of surviving Windows Event Logs and identification of malicious PowerShell scripts used for AV evasion.
## Attack Methodology
- **Initial Access:** Vulnerability exploitation (e.g., Fortinet appliances).
- **Persistence:** Scheduled Tasks and installation of remote access software (AnyDesk).
- **Privilege Escalation:** Not specifically detailed, though GPO abuse implies high-level access.
- **Defense Evasion:** Clearing Security, System, and Application Event Logs; PowerShell commands to disable Microsoft Defender and add exclusions; use of custom-built evasion tools and legitimate driver abuse (BYOVD).
- **Discovery:** Usage of reconnaissance commands to map the network environment.
- **Lateral Movement:** GPO-based deployment and AnyDesk.
- **Impact:** Data encryption (Locker) and log wiping.
## Impact Assessment
- **Financial:** High (Ransom demands typical of RaaS operations).
- **Data Breach:** Compromise of internal systems across 400+ various victims.
- **Operational:** Business disruption due to encrypted file systems and disabled security infrastructure.
- **Reputational:** Significant, given the group's active posting on leak sites like Ransomware.live.
## Indicators of Compromise
- **Network:** Tox messaging network IDs tied to "The Gentlemen" administrator.
- **File:** Custom encryptor "locker" binaries (Specific hashes not provided in summary).
- **Behavioral:**
- Clearing of specific Event Logs (Security/System/App) while leaving others intact.
- PowerShell-based modification of Defender settings.
- Creation of persistence via Scheduled Tasks.
## Response Actions
- **Containment:** Disabling compromised accounts and revoking unauthorized GPOs.
- **Eradication:** Removal of AnyDesk and other remote access tools used for persistence.
- **Recovery:** Restoration from backups (where available) after clearing persistent Scheduled Tasks.
## Lessons Learned
- **Visibility Gaps:** Deployment of EDR/MDR *after* an incident limits the ability to trace the exact moment of initial access.
- **Selective Log Wiping:** Threat actors are becoming more surgical, wiping primary logs (Security/System) while ignoring secondary logs that may still contain forensic artifacts.
- **Persistent Affiliates:** As a RaaS, TTPs vary between affiliates, requiring a defense-in-depth approach rather than looking for a single "signature."
## Recommendations
- **Patch Management:** Prioritize edge appliance patching, specifically targeting CVE-2024-55591.
- **Hardening:** Implement PowerShell Constrained Language Mode and restrict the ability of local admins to clear Event Logs.
- **Monitoring:** Set alerts for the execution of `wevtutil.exe` or PowerShell commands targeting `Set-MpPreference`.
- **Egress Filtering:** Restrict unauthorized remote access software (e.g., AnyDesk) at the network level.