<\/p>\n
![](\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/25\/gentlemen-cover.png\")
<\/div>\nIn terms of execution, the ransomware accepts specific parameters:<\/p>\n
The ransomware aggressively attempts to terminate key services commonly associated with backup, database, and security processes to maximize its impact:<\/p>\n
net stop <service_name><\/b><\/span><\/p>\n (.*)sql(.*), AcrSch2Svc, VSNAPVSS, MVarmor64, MVarmor, VeeamTransportSvc, VeeamDeploymentService, VeeamNFSSvc, AcronisAgent, QBIDPService, QBDBMgrN, QBCFMonitorService, OracleServiceORCL, MySQL, MSSQL, SAPHostExec, SAPHostControl, SAPD$, SAP$, postgresql, SAP, SAPService, GxFWD, GxVsshWProv, GXMMM, GxClMgr, MariaDB, GxCVD, GxClMgrS, GxVss, GxBlr, BackupExecRPCService, SQLAgent$SQLEXPRESS, BackupExecManagementService, BackupExecJobEngine, MSSQL$SQLEXPRESS, BackupExecDiveciMediaService, BackupExecAgentBrowser, SQLWriter, BackupExecAgentAccelerator, BackupExecVSSProvider, PDVFSService, SQLSERVERAGENT, WSBExchange, MSExchange\\$, MSExchange, sophos, msexchange, docker, MSSQLSERVER, MSSQL*, Sql, vss, backup, veeam, memtas, mepocs, vmms<\/i><\/p>\n Further, the threat systematically terminates processes using the following commands:<\/p>\n taskkill \/IM <process_name>.exe \/F<\/b><\/span><\/p>\n Veeam.EndPoint.Service.exe, mvdesktopservice.exe, VeeamDeploymentSvc.exe, VeeamTransportSvc.exe, VeeamNFSSvc.exe, EnterpriseClient.exe, DellSystemDetect.exe, avscc.exe, avagent.exe, sapstartsrv.exe, saposco.exe, saphostexec.exe, CVODS.exe, cvfwd.exe, cvd.exe, CVMountd.exe, tv_x64.exe, tv_w32.exe, pgAdmin4.exe, TeamViewer.exe, TeamViewer_Service.exe, SAP.exe, QBCFMonitorService.exe, pgAdmin3.exe, QBDBMgrN.exe, QBIDPService.exe, CagService.exe, vsnapvss.exe, raw_agent_svc.exe, cbInterface.exe, “Docker Desktop.exe”, beserver.exe, pvlsvr.exe, bengien.exe, benetns.exe, vxmon.exe, bedbh.exe, IperiusService.exe, sqlceip.exe, xfssvccon.exe, wordpad.exe, winword.exe, visio.exe, thunderbird.exe, thebat.exe, Iperius.exe, psql.exe, postgres.exe, tbirdconfig.exe, synctime.exe, steam.exe, sqbcoreservice.exe, powerpnt.exe, cbVSCService11.exe, postmaster.exe, mysqld.exe, outlook.exe, oracle.exe, onenote.exe, ocssd.exe, ocomm.exe, ocautoupds.exe, SQLAGENT.exe, sqlwriter.exe, notepad.exe, mydesktopservice.exe, mydesktopqos.exe, mspub.exe, msaccess.exe, cbService.exe, sqlbrowser.exe, w3wp.exe, sql.exe, isqlplussvc.exe, infopath.exe, firefox.exe, excel.exe, encsvc.exe, Ssms.exe, DBeaver.exe, sqlservr.exe, dbsnmp.exe, dbeng50.exe, agntsvc.exe, vmcompute.exe, vmwp.exe, vmms.exe<\/i><\/p>\n Beyond service and process termination, the ransomware executes additional commands to impede recovery and forensic investigation:<\/p>\n For final cleanup, the ransomware drops a batch script named after itself (e.g., {filename}.exe.bat<\/i>). <\/b>This script pings the local host for a brief delay, deletes the ransomware binary, and then deletes itself. This ensures comprehensive removal of its artifacts after the encryption routine is complete.<\/p>\n The Gentlemen ransomware campaign shows the rapid evolution of modern ransomware threats, blending advanced technical sophistication with persistent, targeted operations. This campaign is distinguished by its use of custom-built tools for defense evasion, its ability to study and adapt to deployed security software, and its methodical abuse of both legitimate and vulnerable system components to subvert layered enterprise defenses. By tailoring their tactics against specific security vendors, The Gentlemen have demonstrated an acute awareness of their targets\u2019 environments and a willingness to engage in in-depth reconnaissance and tool modification throughout the course of their operation.<\/p>\n The campaign\u2019s impact on critical infrastructure and use of double extortion techniques underscores the significant risk this threat actor poses to organizations. Their campaign illustrates the growing trend among ransomware operators to move beyond \u201cone-size-fits-all\u201d methods and toward highly customized attacks, raising the bar for detection, prevention, and incident response.<\/p>\n Organizations are strongly advised to review their security posture, focusing on proactive threat hunting for group-specific tools, tactics, and procedures, the strengthening of endpoint and network protections, and the continuous refinement of incident response strategies. Particular attention should be given to monitoring for anomalous administrative activity, the abuse of legitimate tools for lateral movement and privilege escalation, and early indications of defense evasion efforts targeting security solutions.<\/p>\n Given the group’s exploitation of internet-facing infrastructure and VPN appliances, Zero Trust controls are essential for preventing initial access and limiting blast radius. Organizations must eliminate direct RDP exposure to the internet, enforce multi-factor authentication for all administrative interfaces, and implement network segmentation between IT management tools and production systems. Enterprises should also implement virtual patching for known vulnerabilities in perimeter devices, particularly VPN concentrators and firewalls that THE GENTLEMEN has been observed targeting.<\/p>\n Essential access controls and monitoring include:<\/p>\n\n
<\/span><\/h2>\n