The Gentlemen Ransomware: Threat Intelligence Analysis, TTPs & Detection Guide

The Gentlemen ransomware operation is actively compromising medium-to-large enterprises through exploitation of internet-facing administrative interfaces and compromised credentials. The group operates a double-extortion model; stealing data over 2-6 weeks, then encrypting infrastructure, then publishing stolen information unless ransom is paid. Initial access typically occurs through unpatched firewalls or compromised domain credentials. Red Piranha assesses the sustained threat level as CRITICAL for organisations with 500+ employees and complex Active Directory environments.

Key Statistics and Threat Overview

• Operational Period: Mid-2025 to present
• Primary Target Profile: Medium-to-large enterprises (500+ employees) with complex Active Directory and valuable data
• Geographic Scope: No geographic restrictions; global targeting observed
• Attack Model: Double-extortion (data theft + encryption + public leak)
• Average Dwell Time: 2-6 weeks from initial access to encryption
• Confirmed Campaigns: Incidents across North America, Europe, and Asia
• Sophistication Level: APT-equivalent (kernel-level exploitation, adaptive evasion, multi-platform capability)
• MITRE ATT&CK Techniques: 17+ techniques spanning full kill chain
• Ransomware Binary Type: Golang, cross-platform (Windows, Linux, ESXi, NAS, BSD)

What is The Gentlemen Ransomware?

The Gentlemen is a ransomware operation first observed in mid-2025 that follows a business model markedly different from that of typical ransomware groups. Rather than conducting large-scale campaigns and relying on a fraction of victims to pay, The Gentlemen carefully researches and selects target organisations before launching an attack. This targeted approach allows the group to focus its efforts on organisations that are more likely to generate significant financial returns through extortion.

They spend weeks inside compromised networks conducting reconnaissance, establishing persistence, and stealing data before deploying encryption. This operational patience reflects understanding of a critical business reality: encrypted files can be recovered from offline backups, but stolen data cannot. The group's actual leverage is informational, not technical.

The operational model centres on professional infrastructure and processes. The Gentlemen maintain a Tor-based data leak site where victim profiles are published alongside countdown timers and sample data proving data possession.

They operate direct communication channels through TOX messenger where ransom negotiation occurs. This structured approach, such as professional leak site, countdown mechanisms, direct negotiation channels indicate an organisation with proper funding, operational security discipline, and sustained commitment rather than opportunistic attackers.

We observed that The Gentlemen deliberately target organisations matching a specific profile based on analysis of disclosed victims and observed reconnaissance patterns. They focus on enterprises with 500+ employees, which typically indicates sufficiently large organisations to have high-value data and budget capacity to pay significant ransoms.

They show particular operational interest in organisations running VMware infrastructure. The group specifically enumerates VMware administrator groups during reconnaissance, which Red Piranha assesses indicates preparation to encrypt virtualisation infrastructure. A single encrypted hypervisor can render dozens of dependent virtual machines inaccessible simultaneously, creating maximum operational disruption and stronger coercion pressure.

What distinguishes The Gentlemen from lower-tier ransomware operations is their demonstrated technical capability. The group exploits kernel-level vulnerabilities, develops adaptive malware tools that modify themselves based on victim security environments, and operates across multiple platforms simultaneously.

These capabilities typically require dedicated development resources, proper security testing infrastructure, and operational experience. The fact that they are conducting these capabilities consistently across multiple victims indicates an organisation with proper process discipline and development of maturity.

Tactics, Techniques, and Procedures and Attack Kill Chain: MITRE ATT&CK Framework Mapping

Understanding The Gentlemen's attack methodology from beginning to end is critical for organisations developing defensive strategies and incident response procedures. The group follows a methodical progression across seven kill chain phases, each representing a point where defensive controls can potentially interrupt the attack.

Phase 1: Reconnaissance and Target Identification

The attack begins long before The Gentlemen's first packet reaches target infrastructure. Using T1591 (Gather Victim Org Information), the group conducts patient reconnaissance to identify organisations with exposed SaaS portals, misconfigured administrative interfaces, or publicly accessible API endpoints. This reconnaissance phase leverages dark web forum intelligence, public cloud configuration exposures, and open-source data gathering to build comprehensive target profiles before committing to attack execution.

Red Piranha assesses this deliberate targeting approach is computationally cheaper and more effective than mass scanning and exploitation. Rather than probing thousands of organisations hoping to find vulnerable systems, The Gentlemen research specific targets in advance, understanding organisational structure, security controls, and executive contacts. This reconnaissance intelligence directly supports ransom negotiation phases where the group leverages knowledge of organisational revenue and decision-maker identities to accelerate payment decisions.

Phase 2: Initial Access: Two Concurrent Vectors

The Gentlemen exploit two distinct initial access vectors, and organisations should treat both as active risks regardless of which appear more likely for their environment.

Vector A: Exploitation of Internet-Facing Administrative Interfaces (T1190)

The group targets FortiGate firewall administrative panels and VPN interfaces exposed on the internet. The vulnerabilities exploited are not zero-days - they are known issues with publicly available patches. The targeting pattern suggests either organisations that have not maintained patch currency or deliberate targeting of organisations with weaker security posture. Once initial access is obtained through administrative panel exploitation, the attacker operates within the administrative context established by the vulnerable interface, blending with legitimate administrative activity patterns.

Vector B: Valid Accounts and Credential Exploitation (T1078)

The Gentlemen obtain credentials from dark web credential markets where infostealer malware operators sell harvested passwords. The group uses these credentials to authenticate directly to organisational infrastructure using legitimate authentication mechanisms. This approach is particularly difficult to detect because there is nothing obviously malicious about an administrative user logging in with a valid password at a plausible time of day. The threat actor can take time to explore network structure and understand security controls before deploying any tools that might trigger detection.

Red Piranha assesses with high confidence that credential-based access is harder to detect than exploitation-based access because it generates expected authentication logs and doesn't trigger vulnerability detection mechanisms. This assessment is based on incident response experience where credential-based compromises frequently progress further before detection than exploitation-based compromises.

Phase 3: Network Reconnaissance and Active Directory Enumeration

Once inside the network, The Gentlemen cannot immediately deploy ransomware. They first conduct systematic reconnaissance to understand network structure, identify high-value systems, and map security controls. They deploy Advanced IP Scanner to enumerate live systems, identify open ports, and map infrastructure. Simultaneously, they execute custom batch scripts to enumerate Active Directory, specifically targeting privileged accounts and administrative groups.

The reconnaissance scripts demonstrate specific operational knowledge - they enumerate domain administrators, enterprise administrators, and critically, VMware administrator groups. Red Piranha assesses this VMware group enumeration indicates preparation for ESXi-specific encryption deployment. Encrypting hypervisors creates cascading impact across dependent virtual machine populations, and controlling VMware administrators provides the administrative context necessary for domain-wide deployment of encryption tools.

The reconnaissance phase typically lasts 2-7 days based on comparable RaaS operations, though forensic visibility into this phase is limited because reconnaissance activity uses legitimate administrative tools and generates expected network traffic patterns.

Phase 4: Privilege Escalation to SYSTEM-Level Access

At this point in the attack progression, The Gentlemen have user-level or administrative-level access. This is insufficient for their defensive evasion objectives. They need SYSTEM-level privileges - the highest privilege level in Windows. The group uses a two-stage escalation approach.

Stage 1: User Account Control Bypass (T1068 - PowerRun.exe)

The group executes PowerRun.exe, a legitimate Windows utility designed for privilege escalation. PowerRun bypasses User Account Control restrictions, providing administrative-level privileges. However, administrative privileges on a single system are not sufficient for the next attack phase. They require kernel-level access - execution at a privilege level higher than user-mode security tools.

Stage 2: Kernel-Level Exploitation (T1068 - CVE-2025-7771)

The Gentlemen exploit CVE-2025-7771 in the ThrottleStop driver. ThrottleStop is a completely legitimate thermal management utility used by system administrators for CPU thermal management. The vulnerability in this driver allows code execution at the kernel level- a privilege level that grants complete system control and the ability to execute code at higher privilege than any user-mode application, including security software.

Red Piranha assesses with high confidence that kernel-level access is critical for The Gentlemen's strategy because user-mode security tools cannot defend against kernel-level execution. This is a fundamental architecture limitation of Windows security - endpoint protection operates in user mode, while malicious code executing in kernel mode operates at a higher privilege level and can terminate or disable user-mode security tools.

Phase 5: Defence Evasion: Bring Your Own Vulnerable Driver (BYOVD) Technique

Once The Gentlemen possess kernel-level privileges, they implement their primary defence evasion strategy. This is the phase where endpoint protection is most vulnerable, and where organisations without kernel-level driver protections are most exposed.

The group takes the legitimate ThrottleStop driver, renames it to ThrottleBlood.sys to obscure its origin, and loads it into the Windows kernel. They then exploit CVE-2025-7771 to execute code at the kernel level. From this privilege level, they deploy Allpatch2.exe and All.exe; tools specifically designed to terminate antivirus and EDR processes.

The critical detail here is that Allpatch2.exe does not use a static list of security products to terminate. Instead, it dynamically identifies which EDR solution is running on the victim system and specifically targets that product.

Red Piranha assesses that this adaptive approach indicates mid-campaign reconnaissance of victim security stack, though direct forensic evidence of reconnaissance commands is limited to deployment pattern analysis rather than confirmed reconnaissance activity logs.

This adaptive capability tells us the threat actors have either: (1) access to detailed intelligence about victim security deployments through underground intelligence channels, or (2) a development process where they quickly analyse victim security configuration and adapt tools before deployment. Either interpretation indicates resource commitment and professional development practices.

Phase 6: Lateral Movement Across Network Infrastructure

With endpoint security offline, The Gentlemen move laterally across the network using multiple methods. This redundancy ensures that if one lateral movement vector is blocked or detected, alternative paths remain available. The group uses legitimate administrative tools that generate expected network traffic patterns.

SMB-Based Lateral Movement (T1021.002 - PsExec)

The Gentlemen execute PsExec over SMB admin shares. PsExec is a legitimate Windows system administration utility that security teams use for remote command execution. When The Gentlemen use PsExec with compromised administrative credentials, their traffic appears identical to legitimate administrative activity. They can execute remote commands and deploy ransomware across network segments using standard administrative channels.

RDP-Based Lateral Movement (T1021.001)

The group enables Remote Desktop Protocol by modifying Windows Firewall rules and setting the DisableRestrictedAdmin registry key to 0. This configuration change allows RDP connections with lower security restrictions, facilitating remote interactive access. They can then use RDP sessions to interact with systems directly and conduct additional reconnaissance.

SSH-Based Lateral Movement (T1021.004 - PuTTY)

The Gentlemen deploy PuTTY for SSH-based lateral movement across Linux and ESXi systems. This demonstrates multi-platform attack capability and indicates preparation for infrastructure-wide encryption targeting both Windows and virtualisation infrastructure.

Remote Access Backdoors (T1547 - AnyDesk)

The group installs AnyDesk as a Windows service, providing persistent remote access that survives system restarts and user logoffs. This gives them a reliable command channel for ongoing operations and provides access flexibility as they conduct additional attack phases.

Red Piranha assesses the lateral movement phase typically lasts 2-7 days and involves dozens to hundreds of lateral movement commands, depending on network size and complexity. However, forensic visibility into this phase is limited because lateral movement uses legitimate tools with standard administrative authentication.

Phase 7: Data Collection and Exfiltration

Before encryption is deployed, The Gentlemen systematically collects and exfiltrates sensitive data. This phase is where the actual value of the attack lies; data that cannot be recovered from backups. The group collects data from network shares across the organisation, specifically targeting sensitive directories.

Finance shares contain budgets and business plans. Legal shares contain contracts and litigation information. HR shares contain employee personal information. R&D shares contain intellectual property and product roadmaps.

Data is staged locally in temporary locations before exfiltration. The group uses WinSCP for encrypted SFTP/SCP data transfer to attacker-controlled infrastructure. Red Piranha assesses the data collection phase typically lasts 5-30 days, depending on data volume and network connectivity. Organisations with large data repositories or slow network connectivity experience longer collection phases.

Red Piranha assesses with moderate confidence this timeline is typical based on comparable RaaS operations analysed by public security researchers. However, we classify this as moderate rather than high confidence because direct forensic confirmation of exfiltration timelines requires access to victim network logs, which are not systematically available in public reporting.

Phase 8: Encryption and Extortion

Only after data collection is complete do The Gentlemen deploy encryption. The ransomware binary is written in Golang, enabling cross-platform compilation. The group can deploy identical code across Windows, Linux, ESXi, NAS devices, and BSD systems. The ransomware requires a password parameter to execute; preventing accidental triggering and complicating sandbox analysis.

Once encryption is complete and systems are offline, The Gentlemen contact victim organisations through their established TOX messenger channel. They provide proof of data theft by publishing sample files or listing specific files on their leak site. They demand ransom. They set a deadline typically 5-7 days with a countdown timer visible on their public leak site. If the victim organisation pays, they provide decryption tools. If payment is not made by the deadline, stolen data is published publicly.

It is clear that the Gentlemen ransomware group follows a structured attack chain, beginning with initial access through unpatched internet-facing FortiGate devices (T1190) and stolen credentials purchased from dark web markets (T1078). Once inside, they use PowerShell and Windows command-line tools (T1059.001, T1059.003) to disable security controls, enumerate Active Directory, identify privileged accounts, and prepare systems for ransomware deployment.

To maintain access, they establish persistence through self-restarting mechanisms, scheduled tasks, and AnyDesk services (T1547, T1543), while escalating privileges using UAC bypasses and vulnerable drivers (T1068). They also evade detection through Bring Your Own Vulnerable Driver (BYOVD) techniques, payload obfuscation, and Group Policy manipulation to disable defences and facilitate domain-wide ransomware deployment (T1562.001, T1027, T1484.001).

After securing control of the environment, the group performs extensive discovery and lateral movement, using tools such as Advanced IP Scanner, PsExec, RDP, and SSH to map networks and spread across Windows, Linux, and VMware systems (T1046, T1021.001, T1021.002, T1021.004).

They then collect and exfiltrate data from network shares using tools like WinSCP over SFTP/SCP (T1039, T1048.001) before deploying ransomware. Throughout the operation, AnyDesk and Tor-based HTTP/HTTPS communications provide command-and-control capabilities (T1219, T1071.001), enabling attackers to maintain remote access and coordinate activities while reducing the likelihood of detection.

Indicator of Compromise (IOCs)

Infrastructure / Command & Control (C2)

• TOR Negotiation Portal: tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad.onion
• TOR Data Leak Site (DLS): 25swr3rgce7elyedjmmhdw4ourgtxc72mj2cynsrqz6wwitestfpiiyd.onion

Communication Identifiers

• TOX ID: F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E
• Ransomware File Extensions:
  • .7mtzhh (primary)
  • .ojuopo (observed in separate campaigns)
• Ransom Note: README-GENTLEMEN.txt

Malware Components and Tools

• BYOVD Driver:
  • ThrottleBlood.sys
  • Renamed version of ThrottleStop.sys
  • Exploits CVE-2025-7771
• Antivirus Disabling Tools:
  • All.exe
  • Allpatch2.exe
• Privilege Escalation Utility:
  • PowerRun.exe
• Reconnaissance Script:
  • 1.bat

Malware Characteristics

• Written in Golang (Go)
• Cross-platform ransomware capable of targeting:
  • Windows
  • Linux
  • VMware ESXi
  • NAS devices
  • BSD systems

Key Detection Opportunities

• Presence of ThrottleBlood.sys, All.exe, Allpatch2.exe, or PowerRun.exe
• Creation of README-GENTLEMEN.txt
• Files renamed with .7mtzhh or .ojuopo extensions
• Connections to TOR infrastructure or associated .onion negotiation portals
• Execution of 1.bat reconnaissance scripts
• Unauthorised installation of remote access tools and security process termination attempts

How does Red Piranha Detect and Prevent attacks of The Gentlemen Ransomware?

Red Piranha Crystal Eye Threat Detection, Investigation, and Response (TDIR) platform, delivers comprehensive capabilities to identify, disrupt, and mitigate the tactics, techniques, and procedures (TTPs) associated with the Gentlemen ransomware.

By combining continuous security monitoring, integrated threat intelligence, advanced analytics, and proactive defence mechanisms, Crystal Eye enables organisations to detect malicious activity across every stage of the ransomware attack lifecycle.

The following analysis outlines how Crystal Eye’s security capabilities can effectively identify, contain, and prevent The Gentlemen ransomware operations and their associated attack techniques.

Crystal Eye Network Detection and Response (NDR) provides instant 10x increased visibility than the competitors across network operations. This enables detection of reconnaissance activity in Phase 3 when Advanced IP Scanner enumerates infrastructure and batch scripts query Active Directory.

These behavioural patterns instantly flag abnormal network activity. Crystal Eye Threat Detection, Investigation, and Response (TDIR) monitors endpoint execution in real-time. It detects when PowerRun.exe and Allpatch2.exe execute with kernel privileges. It flags the unsigned driver loading (ThrottleBlood.sys) that The Gentlemen depend on for AV/EDR termination.

Crystal Eye DAS (Declarative Authorisation Services) implements Zero Trust policies with micro-segmentation across Azure, AWS, on-premises, and edge systems. DAS blocks lateral movement attempt by enforcing "allow on need basis" access.

It prevents unauthorised privilege escalation through dynamic RBAC/ABAC with context-aware permissions. Behavioural analytics within DAS detects abnormal access patterns as The Gentlemen attempt to enumerate VMware administrator groups and domain controllers.

Crystal Eye SWG (Secure Web Gateway) blocks malicious connections to known Tor leak site infrastructure. SWG prevents command-and-control communication. Encrypted metadata handling across the platform maintains visibility even when attackers attempt to obscure C2 traffic.

Red Piranha's fully operationalised threat intelligence is pushed to all detection layers simultaneously. When The Gentlemen's IOCs are detected (file extensions .7mtzhh, .ojuopo, tool names like Allpatch2.exe, CVE-2025-7771 exploitation), Crystal Eye's automated threat intelligence automatically escalates to Red Piranha's 24/7 SOC team.

The unified platform integrating NDR, TDIR, DAS, and SOC enables on-demand human-machine teaming. Automated detection triggers immediate human analyst investigation. This reduces dwell time from The Gentlemen's typical 2-6 weeks to hours.

DAS policy enforcement uses "allow on need basis" to prevent data exfiltration during Phase 6. It blocks access to network shares unless explicitly authorised. With 18+ months of data retention and integrated PCAP analysis, forensic investigations can reconstruct the complete attack sequence.

Automated compliance reports with timestamped access logs show exactly what was accessed and when. Automated containment workflows simultaneously block lateral movement vectors (SMB/RDP/SSH).

This multi-layered detection covering network, endpoint, authorisation, and behavioural anomalies ensures The Gentlemen cannot progress through reconnaissance, privilege escalation, lateral movement, or data exfiltration phases without triggering immediate, operationalised response from Red Piranha's SOC team.

Does detecting malicious activity pose a significant challenge for your organisation?

Crystal Eye, best-in-class Threat Detection, Investigation and Response (TDIR), allows you to catch what the other products in its class missed by detecting all known malware and C2 callouts.

Improve your organisation's security posture and minimise risk to your organisation with our Network Detection and Response program alongside the Managed Detection and Response (MDR) service.