In recent months, cybersecurity experts have identified a new ransomware group, The Gentlemen, which has rapidly gained notoriety for its sophisticated attack methods. This group employs legitimate Windows drivers and manipulates Group Policy Objects (GPOs) to infiltrate and compromise entire organizational domains, posing significant threats to critical infrastructure across various sectors.
Initial Intrusion Tactics
The exact methods The Gentlemen use to gain initial access remain partially unclear. However, forensic analyses suggest that the group exploits compromised credentials or vulnerabilities in internet-facing services as primary entry points. Once inside, they deploy a dual-component suite consisting of ‘All.exe’ and ‘ThrottleBlood.sys’—the latter being a legitimate, signed driver repurposed to disable security processes. This kernel-level manipulation allows the attackers to neutralize endpoint protections without triggering standard security alerts.
Adaptive Tool Deployment
Trend Micro analysts have observed that The Gentlemen adapt their tools during campaigns. For instance, they utilize a dynamically modified binary named ‘Allpatch2.exe’ to target specific security components within the compromised network. This adaptability demonstrates the group’s deep understanding of enterprise security landscapes and enhances their ability to deploy encryption payloads rapidly across domain-joined systems via the NETLOGON share.
Impact on Targeted Sectors
The operations of The Gentlemen have led to severe disruptions in sectors such as manufacturing, healthcare, and construction. Victims have reported the loss of critical backups and unauthorized exfiltration of sensitive information through tools like WinSCP, indicating the group’s use of double-extortion tactics.
Infection Mechanism and Evasion Techniques
A hallmark of The Gentlemen’s strategy is their exploitation of legitimate Windows drivers to achieve kernel-level execution. Upon execution, the ransomware places two files in the %USERPROFILE%\Downloads directory:
“`
copy All.exe %USERPROFILE%\Downloads\All.exe
copy ThrottleBlood.sys %USERPROFILE%\Downloads\ThrottleBlood.sys
“`
The attackers then invoke the driver to terminate targeted security services using commands like:
“`
%USERPROFILE%\Downloads\All.exe install ThrottleBlood.sys
taskkill /IM avagent.exe /F
taskkill /IM VeeamNFSSvc.exe /F
“`
By leveraging this technique, The Gentlemen bypass the limitations of user-mode defenses. After securing kernel execution, the ransomware escalates privileges using ‘PowerRun.exe,’ a legitimate utility often misused for elevated command execution. This escalation enables the malware to modify critical registry keys—such as enabling Remote Desktop Protocol (RDP) access—and establish persistence through GPO objects.
Recommendations for Mitigation
To defend against such sophisticated attacks, organizations should implement the following measures:
1. Regularly Update and Patch Systems: Ensure all software, especially security tools, are up-to-date to mitigate vulnerabilities.
2. Monitor for Unauthorized GPO Changes: Regularly audit Group Policy Objects for unexpected modifications that could indicate malicious activity.
3. Restrict Driver Installation: Limit the ability to install or execute drivers to trusted administrators to prevent abuse of legitimate drivers.
4. Implement Network Segmentation: Divide networks into segments to contain potential breaches and limit lateral movement by attackers.
5. Conduct Regular Security Training: Educate employees on recognizing phishing attempts and other common attack vectors to reduce the risk of initial compromise.
By adopting these proactive measures, organizations can enhance their resilience against advanced ransomware threats like those posed by The Gentlemen.
