TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Trend Micro Research

Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed

Junestherry Dela Cruz · 2025-09-09 · Read original ↗

ATT&CK techniques detected

39 predictions
T1489Service Stop
100%
“##writer, backupexecagentaccelerator, backupexecvssprovider, pdvfsservice, sqlserveragent, wsbexchange, msexchange \ $, msexchange, sophos, msexchange, docker, mssqlserver, mssql *, sql, vss, backup, veeam, memtas, mepocs, vmms further, the threat systematically terminates proces…”
T1486Data Encrypted for Impact
99%
“- vssadmin delete shadows / all / quiet for final cleanup, the ransomware drops a batch script named after itself ( e. g., { filename }. exe. bat ). this script pings the local host for a brief delay, deletes the ransomware binary, and then deletes itself. this ensures comprehens…”
T1486Data Encrypted for Impact
99%
“august 2025, we investigated a new ransomware campaign orchestrated by the gentlemen, an emerging and previously undocumented threat group. this threat actor quickly established itself within the threat landscape by demonstrating advanced capabilities through their systematic com…”
T1486Data Encrypted for Impact
99%
“unmasking the gentlemen ransomware : tactics, techniques, and procedures revealed key takeaways - the gentlemen ransomware group launched a campaign involving advanced, highly tailored tools specifically designed to bypass enterprise endpoint protections. - the campaign leveraged…”
T1059.001PowerShell
99%
“c : \ windows \ system32 \ gpme. msc " / s / gpobject : " ldap : / / < redacted > / cn < redacted >, cnpolicies, cnsystem, dc < redacted >, dclocal " the attacker also executed encoded powershell to identify critical domain infrastructure, with a particular focus on the primary d…”
T1486Data Encrypted for Impact
99%
“##wall set service type remotedesktop mode enable overall, the campaign highlights the threat actors ' understanding of enterprise security architectures, demonstrated through adaptive countermeasures specifically tailored to overcome deployed security solutions, systematic data …”
T1068Exploitation for Privilege Escalation
99%
“user fortigate / dom - group " domain admins " / dom - group " enterprise admins " / dom - localgroup _ _ vmware _ _ - localgroup administrators - [ additional net user commands ] they also demonstrated extensive environmental awareness by querying local groups, including standar…”
T1486Data Encrypted for Impact
98%
“encrypt : the gentlemen ' s tailored ransomware campaign - trend vision one intelligence reports ( ioc sweeping ) - dressed to encrypt : the gentlemen ' s tailored ransomware campaign hunting queries trend vision one customers can use the search app to match or hunt the malicious…”
T1486Data Encrypted for Impact
97%
“##es for the defenses they encounter. this approach represents a shift from opportunistic attacks ; through systematic analysis of security software documentation, the threat actors combine this knowledge with the abuse of legitimate tools and vulnerable drivers to deploy environ…”
T1486Data Encrypted for Impact
95%
“: - c : \ programdata \ data \ internal \ summary < redacted > → " c : \ programdata \ winscp. exe " the choice of winscp suggests the attackers prioritized operational security, using encrypted channels to avoid detection by network monitoring solutions. impact the ransomware wa…”
T1219Remote Access Tools
93%
“registry settings that govern authentication and remote access protocols : - reg add hkey _ local _ machine \ system \ currentcontrolset \ control \ lsa \ msv1 _ 0 / v restrictsendingntlmtraffic / t reg _ dword / d 0 / f - reg add hklm \ system \ currentcontrolset \ control \ lsa…”
T1070.004File Deletion
86%
“. exe, sqlbrowser. exe, w3wp. exe, sql. exe, isqlplussvc. exe, infopath. exe, firefox. exe, excel. exe, encsvc. exe, ssms. exe, dbeaver. exe, sqlservr. exe, dbsnmp. exe, dbeng50. exe, agntsvc. exe, vmcompute. exe, vmwp. exe, vmms. exe beyond service and process termination, the r…”
T1490Inhibit System Recovery
85%
“deletes windows defender support files : cmd / c " del / f / q c : \ programdata \ microsoft \ windows defender \ support \ *. * " - deletes prefetch files : cmd / c " del / f / q c : \ windows \ prefetch \ *. * " - adds c : \ to windows defender exclusion path : powershell - com…”
T1080Taint Shared Content
85%
“august 2025, we investigated a new ransomware campaign orchestrated by the gentlemen, an emerging and previously undocumented threat group. this threat actor quickly established itself within the threat landscape by demonstrating advanced capabilities through their systematic com…”
T1219Remote Access Tools
84%
“august 2025, we investigated a new ransomware campaign orchestrated by the gentlemen, an emerging and previously undocumented threat group. this threat actor quickly established itself within the threat landscape by demonstrating advanced capabilities through their systematic com…”
T1569.002Service Execution
82%
“##e, xfssvccon. exe, wordpad. exe, winword. exe, visio. exe, thunderbird. exe, thebat. exe, iperius. exe, psql. exe, postgres. exe, tbirdconfig. exe, synctime. exe, steam. exe, sqbcoreservice. exe, powerpnt. exe, cbvscservice11. exe, postmaster. exe, mysqld. exe, outlook. exe, or…”
T1078Valid Accounts
73%
“significant risk this threat actor poses to organizations. their campaign illustrates the growing trend among ransomware operators to move beyond “ one - size - fits - all ” methods and toward highly customized attacks, raising the bar for detection, prevention, and incident resp…”
T1080Taint Shared Content
69%
“##wall set service type remotedesktop mode enable overall, the campaign highlights the threat actors ' understanding of enterprise security architectures, demonstrated through adaptive countermeasures specifically tailored to overcome deployed security solutions, systematic data …”
T1486Data Encrypted for Impact
65%
“. exe, sqlbrowser. exe, w3wp. exe, sql. exe, isqlplussvc. exe, infopath. exe, firefox. exe, excel. exe, encsvc. exe, ssms. exe, dbeaver. exe, sqlservr. exe, dbsnmp. exe, dbeng50. exe, agntsvc. exe, vmcompute. exe, vmwp. exe, vmms. exe beyond service and process termination, the r…”
T1685Disable or Modify Tools
64%
“deletes windows defender support files : cmd / c " del / f / q c : \ programdata \ microsoft \ windows defender \ support \ *. * " - deletes prefetch files : cmd / c " del / f / q c : \ windows \ prefetch \ *. * " - adds c : \ to windows defender exclusion path : powershell - com…”
T1048Exfiltration Over Alternative Protocol
59%
“the broader context of the compromise, however, these connections warrant scrutiny : - c : \ windows \ system32 \ davclnt. dll, davsetcookie < ip address > http : / / \ < redacted > / / - c : \ windows \ system32 \ davclnt. dll, davsetcookie < ip address > http : / / \ < redacted…”
T1490Inhibit System Recovery
58%
“. exe, sqlbrowser. exe, w3wp. exe, sql. exe, isqlplussvc. exe, infopath. exe, firefox. exe, excel. exe, encsvc. exe, ssms. exe, dbeaver. exe, sqlservr. exe, dbsnmp. exe, dbeng50. exe, agntsvc. exe, vmcompute. exe, vmwp. exe, vmms. exe beyond service and process termination, the r…”
T1080Taint Shared Content
56%
“unmasking the gentlemen ransomware : tactics, techniques, and procedures revealed key takeaways - the gentlemen ransomware group launched a campaign involving advanced, highly tailored tools specifically designed to bypass enterprise endpoint protections. - the campaign leveraged…”
T1490Inhibit System Recovery
56%
“- vssadmin delete shadows / all / quiet for final cleanup, the ransomware drops a batch script named after itself ( e. g., { filename }. exe. bat ). this script pings the local host for a brief delay, deletes the ransomware binary, and then deletes itself. this ensures comprehens…”
T1585.002Email Accounts
53%
“##es for the defenses they encounter. this approach represents a shift from opportunistic attacks ; through systematic analysis of security software documentation, the threat actors combine this knowledge with the abuse of legitimate tools and vulnerable drivers to deploy environ…”
T1074.001Local Data Staging
53%
“- nop - w 1 - enc 1 > \ windows \ temp \ ihqbej 2 > & 1 → get - addomain | select - object pdcemulator this level of active directory manipulation indicates preparation for domain - wide ransomware deployment or the establishment of persistent backdoor installation through gpo ab…”
T1486Data Encrypted for Impact
51%
“significant risk this threat actor poses to organizations. their campaign illustrates the growing trend among ransomware operators to move beyond “ one - size - fits - all ” methods and toward highly customized attacks, raising the bar for detection, prevention, and incident resp…”
T1585.002Email Accounts
51%
“unmasking the gentlemen ransomware : tactics, techniques, and procedures revealed key takeaways - the gentlemen ransomware group launched a campaign involving advanced, highly tailored tools specifically designed to bypass enterprise endpoint protections. - the campaign leveraged…”
T1679Selective Exclusion
50%
“##wall set service type remotedesktop mode enable overall, the campaign highlights the threat actors ' understanding of enterprise security architectures, demonstrated through adaptive countermeasures specifically tailored to overcome deployed security solutions, systematic data …”
T1657Financial Theft
43%
“unmasking the gentlemen ransomware : tactics, techniques, and procedures revealed key takeaways - the gentlemen ransomware group launched a campaign involving advanced, highly tailored tools specifically designed to bypass enterprise endpoint protections. - the campaign leveraged…”
T1080Taint Shared Content
40%
“- vssadmin delete shadows / all / quiet for final cleanup, the ransomware drops a batch script named after itself ( e. g., { filename }. exe. bat ). this script pings the local host for a brief delay, deletes the ransomware binary, and then deletes itself. this ensures comprehens…”
T1486Data Encrypted for Impact
37%
“, particularly vpn concentrators and firewalls that the gentlemen has been observed targeting. essential access controls and monitoring include : - restricting domain controller share access and alerting on unauthorized netlogon modifications - auto - isolating devices showing in…”
T1219.002Remote Desktop Software
34%
“registry settings that govern authentication and remote access protocols : - reg add hkey _ local _ machine \ system \ currentcontrolset \ control \ lsa \ msv1 _ 0 / v restrictsendingntlmtraffic / t reg _ dword / d 0 / f - reg add hklm \ system \ currentcontrolset \ control \ lsa…”
T1219Remote Access Tools
33%
“, particularly vpn concentrators and firewalls that the gentlemen has been observed targeting. essential access controls and monitoring include : - restricting domain controller share access and alerting on unauthorized netlogon modifications - auto - isolating devices showing in…”
T1021.001Remote Desktop Protocol
33%
“registry settings that govern authentication and remote access protocols : - reg add hkey _ local _ machine \ system \ currentcontrolset \ control \ lsa \ msv1 _ 0 / v restrictsendingntlmtraffic / t reg _ dword / d 0 / f - reg add hklm \ system \ currentcontrolset \ control \ lsa…”
T1485Data Destruction
33%
“. exe, sqlbrowser. exe, w3wp. exe, sql. exe, isqlplussvc. exe, infopath. exe, firefox. exe, excel. exe, encsvc. exe, ssms. exe, dbeaver. exe, sqlservr. exe, dbsnmp. exe, dbeng50. exe, agntsvc. exe, vmcompute. exe, vmwp. exe, vmms. exe beyond service and process termination, the r…”
T1080Taint Shared Content
32%
“: - c : \ programdata \ data \ internal \ summary < redacted > → " c : \ programdata \ winscp. exe " the choice of winscp suggests the attackers prioritized operational security, using encrypted channels to avoid detection by network monitoring solutions. impact the ransomware wa…”
T1657Financial Theft
30%
“- vssadmin delete shadows / all / quiet for final cleanup, the ransomware drops a batch script named after itself ( e. g., { filename }. exe. bat ). this script pings the local host for a brief delay, deletes the ransomware binary, and then deletes itself. this ensures comprehens…”
T1657Financial Theft
30%
“##es for the defenses they encounter. this approach represents a shift from opportunistic attacks ; through systematic analysis of security software documentation, the threat actors combine this knowledge with the abuse of legitimate tools and vulnerable drivers to deploy environ…”

Summary

An analysis of the Gentlemen ransomware group, which employs advanced, adaptive tactics, techniques, and procedure to target critical industries worldwide.