Exposed Server Unveils TheGentlemen Ransomware Toolkit and Victim Data
A recent discovery has shed light on the operational methods of TheGentlemen ransomware group. An unsecured server, hosted by a Russian bulletproof hosting provider, was found to contain the complete toolkit of a TheGentlemen affiliate. This exposure includes not only the tools used in their attacks but also sensitive data such as victim credentials and plaintext authentication tokens utilized for establishing concealed remote access tunnels.
TheGentlemen Ransomware Group Overview
Operating as a Ransomware-as-a-Service (RaaS) entity, TheGentlemen group enables affiliates to execute attacks using shared tools and infrastructure. Their operations have targeted organizations across the Americas, Europe, and the Middle East, affecting Windows, Linux, and ESXi environments. Notably, their attack strategy is characterized by rapid progression from initial access to full encryption, often within mere hours.
Details of the Exposed Server
The server in question was identified at IP address 176.120.22[.]127, operating over port 80 on Proton66 OOO infrastructure. This autonomous system has a history linked to various malicious campaigns, including those involving SuperBlack ransomware, WeaXor, and XWorm. The server’s directory comprised 126 files across 18 subdirectories, totaling approximately 140 megabytes of operational material.
Hunt.io analysts discovered this open directory on March 12, 2026, while investigating indicators of compromise related to TheGentlemen ransomware group. The server had been active for at least 24 days prior to this analysis.
Contents of the Server
The exposed server contained a variety of malicious scripts and tools, categorized into two primary types:
1. Exploit Scripts: These scripts are designed to alter security settings and escalate privileges.
2. Configuration Scripts: These contain sensitive authentication tokens and other configuration data.
Automated analysis of these scripts revealed functionalities such as credential dumping routines, disabling of Windows Defender, clearing of event logs, setting up ngrok tunnels, and establishing persistence mechanisms.
Pre-Ransomware Deployment Script: z1.bat
Among the files, the most operationally revealing is a batch script named z1.bat. This 35-kilobyte script consolidates nearly every pre-encryption preparation step into a single execution, designed to run immediately before deploying ransomware.
The script initiates by systematically disabling services associated with numerous security vendors, including Sophos, Kaspersky, Trend Micro, McAfee, ESET, Webroot, AVG, Malwarebytes, Panda, and Quick Heal. It extends this process to enterprise applications such as Microsoft Exchange services, Oracle databases, MySQL, various Tomcat versions, Veeam backup infrastructure, and Hyper-V. By stopping these services, the script ensures maximum encryption coverage across critical systems.
Additionally, z1.bat performs a comprehensive registry purge targeting security product entries from nearly 20 vendors. It also creates open SMB shares on multiple drive letters, granting full access to all users, thereby facilitating the spread of ransomware across the network.
Implications and Recommendations
The exposure of this server provides a rare insight into the operational tactics of TheGentlemen ransomware group. The presence of victim credentials and authentication tokens indicates that these tools have been actively deployed in real-world attacks.
Organizations are advised to implement robust security measures, including regular system updates, employee training, and advanced threat detection systems. Monitoring for unusual activities, such as unexpected service terminations or unauthorized access attempts, can help in early detection of such sophisticated attacks.
Furthermore, the use of legitimate tools like ngrok for malicious purposes underscores the need for vigilant monitoring of all software and services within an organization’s network.
