HQ/EMEAFind out how we can help your business
Summary
The Gentlemen ransomware represents a sophisticated, highly adaptive threat that emerged in August 2025. This group demonstrates advanced capabilities through systematic enterprise compromise, custom tool development, and targeted defense evasion techniques specifically designed to bypass security solutions.
Key Statistics:
- 17 Countries targeted across multiple regions
- 4+ Primary Industries (Manufacturing, Construction, Healthcare, Insurance)
- 60+ Services systematically terminated during attacks
- 100+ Processes killed to disable security and backup solutions
Target Profile
Primary Targets: Manufacturing, Construction, Healthcare, Insurance
Geographic Focus: Asia-Pacific region (Thailand, United States)
Attack Vector: Internet-facing services, compromised credentials, vulnerable FortiGate appliances
Victim Impact: Organizations across 17 countries with focus on critical infrastructure and essential services
Threat Actor Profile
- Experience Level: Advanced – demonstrates sophisticated understanding of enterprise environments
- Operational Security: High – uses encrypted channels, removes artifacts, adapts tools
- Target Selection: Strategic – focuses on critical infrastructure and high-value industries
- Tool Development: Custom – develops tailored tools for specific security solutions
Campaign Characteristics
- Persistence: Long-term campaign with systematic approach
- Adaptability: Mid-campaign tool evolution and technique refinement
- Impact Focus: Double extortion model with data theft and encryption
- Geographic Spread: Global reach with Asia-Pacific concentration
Mitre Att&ck Mapping
| Tactic | Technique ID | Technique Name | Implementation |
|---|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application | FortiGate server exploitation |
| T1078.002 | Valid Accounts: Domain Accounts | Compromised administrative credentials | |
| Discovery | T1046 | Network Service Discovery | Nmap service enumeration |
| T1018 | Remote System Discovery | Advanced IP Scanner network mapping | |
| Execution | T1087.002 | Account Discovery: Domain Account | Batch script domain account enumeration |
| T1069.002 | Permission Groups Discovery | Domain group enumeration | |
| T1482 | Domain Trust Discovery | PowerShell PDC identification | |
| T1059.003 | Command and Scripting Interpreter: Windows Command Shell | Cmd.exe command execution | |
| T1059.001 | Command and Scripting Interpreter: PowerShell | PowerShell-based operations | |
| Defense Evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | Anti-AV tool deployment |
| T1014 | Rootkit | Vulnerable driver abuse | |
| T1112 | Modify Registry | Authentication control weakening | |
| T1562.004 | Impair Defenses: Disable or Modify System Firewall | RDP firewall rule modification | |
| T1027 | Obfuscated Files or Information | Base64 encoded PowerShell | |
| Privilege Escalation | T1484.001 | Domain Policy Modification: Group Policy Modification | GPO manipulation |
| Persistence | T1219 | Remote Access Software | AnyDesk installation |
| T1112 | Modify Registry | Persistent registry modifications | |
| Lateral Movement | T1021.002 | Remote Services: SMB/Windows Admin Shares | PsExec lateral movement |
| T1021.001 | Remote Services: Remote Desktop Protocol | RDP-based movement | |
| T1021.004 | Remote Services: SSH | PuTTY SSH access | |
| Collection | T1074.001 | Data Staged: Local Data Staging | C:\ProgramData\data staging |
| T1039 | Data from Network Shared Drive | WebDAV share access | |
| Command and Control | T1219 | Remote Access Software | AnyDesk C2 communication |
| T1071.001 | Application Layer Protocol: Web Protocols | WebDAV-based communication | |
| Exfiltration | T1048.001 | Exfiltration Over Alternative Protocol | WinSCP encrypted exfiltration |
| Impact | T1486 | Data Encrypted for Impact | Domain-wide ransomware deployment |
| T1489 | Service Stop | Systematic service termination |
Indicators of Compromise (IOCs)
File Hashes (SHA1)
- c12c4d58541cc4f75ae19b65295a52c559570054 – Ransom.Win64.GENTLEMAN.THHAIBE (Main ransomware)
- c0979ec20b87084317d1bfa50405f7149c3b5c5f – Trojan.Win64.KILLAV.THHBHBE (Initial anti-AV tool)
- df249727c12741ca176d5f1ccba3ce188a546d28 – Trojan.Win64.KILLAV.THHBHBE (Patched anti-AV tool)
- e00293ce0eb534874efd615ae590cf6aa3858ba4 – HackTool.Win32.PowerRun.THHBHBE (PowerRun tool)
Conclusuion
The Gentlemen ransomware represents a significant evolution in ransomware operations, demonstrating advanced capabilities through systematic enterprise compromise and adaptive tool development. Organizations must implement comprehensive security measures focusing on Zero Trust architecture, advanced endpoint protection, and proactive threat hunting to defend against this sophisticated threat.
The group’s ability to adapt tools mid-campaign and target specific security solutions indicates a well-resourced and technically sophisticated operation that poses ongoing risks to organizations across multiple industries and regions.
