Summary
The Gentlemen ransomware group has been active since July 2025 and follows a double-extortion model, combining file encryption with data theft and leak-site extortion. The malware is written in Go, supports Windows, Linux, and ESXi environments, and uses a hard-coded password argument during the encryption process. Operators also rely on broad reconnaissance, abuse of Group Policy Objects, and legitimate tools such as WinSCP to move and exfiltrate data in encrypted form.
Investigation
AttackIQ published an emulation that recreates the tactics, techniques, and procedures described by multiple security vendors, spanning initial access, persistence, defense evasion, discovery, lateral movement, and impact. The emulation includes behaviors such as creation of scheduled tasks, registry Run keys, malicious services, firewall rule changes, and deletion of volume shadow copies.
Mitigation
Defenders should watch for suspicious PowerShell activity, unexpected scheduled task creation, registry changes related to null sessions and Microsoft Defender exclusions, and attempts to enable SMBv1. Network segmentation and least-privilege access controls can help limit the group’s ability to move laterally through shared resources.
Response
If Gentlemen-related activity is detected, isolate the affected system immediately, collect volatile evidence, preserve the ransomware sample and associated registry artifacts, and begin incident response procedures to recover shadow copies and event logs from backups where possible. A full forensic investigation should also be performed to identify credential theft and any lateral movement across the environment.
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
Attack Narrative & Commands
An adversary who has gained low‑privilege execution on a domain‑joined Windows server wishes to prepare the environment for ransomware deployment. They use native PowerShell cmdlets to:
- Disable real‑time protection (
Set-MpPreference). - Open firewall ports (
Enable-NetFirewallRule). - Enable additional Windows features (
Import-Module ServerManager+Enable-WindowsOptionalFeature). - Harvest domain information (
Get-ADDomain,Get-ADComputer). - Enumerate system details (
Get-WmiObject Win32_ComputerSystem,Get-PSDrive). - Copy malicious payloads to a remote share (
Copy-Item).
Each step is executed in a separate PowerShell process to ensure that the command line of each process contains one of the strings the Sigma rule watches for, thereby generating the required telemetry.
Regression Test Script
# -------------------------------------------------
# Simulation script – triggers The Gentlemen ransomware detection rule
# -------------------------------------------------
# NOTE: Run this on a non‑production, isolated Windows host.
# 1. Disable Windows Defender Real‑Time Monitoring
powershell.exe -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
# 2. Enable a firewall rule (e.g., allow inbound SMB)
powershell.exe -Command "Enable-NetFirewallRule -DisplayGroup 'File and Printer Sharing'"
# 3. Install Server Manager module and enable a Windows feature
powershell.exe -Command "Import-Module ServerManager; Enable-WindowsOptionalFeature -Online -FeatureName TelnetClient -NoRestart"
# 4. Enumerate AD domain information
powershell.exe -Command "Get-ADDomain | Out-Null"
# 5. List AD computers (discovery)
powershell.exe -Command "Get-ADComputer -Filter * | Select-Object Name | Out-Null"
# 6. Query WMI for system details
powershell.exe -Command "Get-WmiObject Win32_ComputerSystem | Out-Null"
# 7. Show current PS drives
powershell.exe -Command "Get-PSDrive | Out-Null"
# 8. Copy a dummy file to a remote share to simulate lateral movement
# (Replace \REMOTE-SERVERShare with a reachable SMB share in your lab)
$dummy = "$env:TEMPdummy.txt"
"test" | Out-File -FilePath $dummy -Encoding ASCII
powershell.exe -Command "Copy-Item -Path '$dummy' -Destination '\\REMOTE-SERVER\Share\dummy.txt'"
# Cleanup dummy file locally
Remove-Item $dummy -ForceCleanup Commands
# -------------------------------------------------
# Cleanup script – restores the host to its pre‑test state
# -------------------------------------------------
# Re‑enable Windows Defender real‑time protection
Set-MpPreference -DisableRealtimeMonitoring $false
# Disable the firewall rule added above (if still present)
Disable-NetFirewallRule -DisplayGroup 'File and Printer Sharing'
# Remove the dummy file from the remote share (requires write permission)
Remove-Item -Path '\REMOTE-SERVERSharedummy.txt' -Force -ErrorAction SilentlyContinue
Click Here For The Original Source.
