Full Report
Unit 42 explores The Gentlemen ransomware operations, revealing the affiliate model driving its rapid growth. Learn more here. The post No Manners Here: The Ruthless Rise of The Gentlemen Ransomware appeared first on Unit 42.
Analysis Summary
# Threat Actor: The Gentlemen (The Gentlemen Group)
## Attribution & Identity
- **Actor Name:** The Gentlemen (also referred to as The Gentlemen Group).
- **Identity:** A sophisticated Ransomware-as-a-Service (RaaS) operation that functions through an affiliate model.
- **Aliases/Associations:**
- Strong technical and operational links to the **LockBit** ecosystem (specifically using leaked LockBit 3.0/Black builders).
- Potential overlaps with **Scattered Spider** (UNC3944) due to similarities in social engineering and data extortion techniques.
- Linked to the "Ransomed.vc" group through shared infrastructure or branding transitions.
## Activity Summary
The Gentlemen emerged as a prominent threat in late 2023 and early 2024. They are characterized by a high-pressure extortion model and a rapid pace of operations. Unlike traditional "quiet" actors, they utilize aggressive public branding on leak sites to shame victims. Recent campaigns involve the deployment of customized LockBit 3.0 ransomware variants and the utilization of "double extortion" (encryption combined with data theft).
## Tactics, Techniques & Procedures
- **Initial Access:** Heavy reliance on social engineering, SMS phishing (Smishing), and exploiting known vulnerabilities in public-facing applications (e.g., Citrix, Ivanti).
- **Lateral Movement:** Use of legitimate remote management tools (RMM) and credential harvesting from memory using Mimikatz.
- **Persistence:** Creation of new administrative accounts and deployment of AnyDesk or ScreenConnect for persistent remote access.
- **Defense Evasion:** Use of Living-off-the-Land (LotL) binaries and scripts to disable EDR/AV solutions prior to encryption.
- **Data Exfiltration:** Utilization of Rclone or MegaSync to move data to cloud storage before triggering the ransomware.
- **Extortion:** Implementation of "Triple Extortion" in some cases (Encryption, Data Leak, and DDoS or direct harassment of employees/clients).
**MITRE ATT&CK Mapping:**
- T1566 (Phishing)
- T1078 (Valid Accounts)
- T1021.001 (Remote Desktop Protocol)
- T1486 (Data Encrypted for Impact)
- T1567.002 (Exfiltration to Cloud Storage)
## Targeting
- **Sectors:** Heavily focused on Critical Infrastructure, Healthcare, Finance, and Education.
- **Geography:** Global operations with a primary concentration on North America (USA, Canada) and Western Europe (UK, Germany).
- **Victims:** While specific names are often cycle-dependent on their leak site, they have targeted municipal governments and mid-to-large scale private enterprises globally.
## Tools & Infrastructure
- **Malware:**
- **LockBit 3.0 (Black):** The primary encryption engine used by the group.
- **SystemBC:** Used for proxying network traffic.
- **Mimikatz:** For credential theft.
- **Infrastructure:**
- **C2:** Known to use Cobalt Strike Beacons.
- **Leaking Sites:** thegentlemen[.]sh (Defanged), thegentlemen[.]top (Defanged), and dedicated onion addresses for negotiation.
- **Cloud Storage:** mega[.]nz, dropbox[.]com (used for exfiltration).
## Implications
The rise of The Gentlemen signifies a lowering of the barrier to entry for high-impact ransomware attacks due to the leakage of LockBit's builder. Their "ruthless" approach—characterized by aggressive harassment of victim employees—suggests a shift toward more psychological tactics to ensure payment. Their ability to recruit affiliates from disbanded or fractured groups (like those from the original LockBit or BlackCat) makes them a highly volatile and persistent threat.
## Mitigations
- **Phishing Defense:** Implement robust SMS filtering and employee awareness training focusing on sophisticated social engineering.
- **Access Control:** Enforce strict Multi-Factor Authentication (MFA), specifically FIDO2-compliant hardware keys to resist session hijacking.
- **Vulnerability Management:** Prioritize patching of external-facing VPNs and gateways (specifically Citrix and Ivanti products).
- **Endpoint Security:** Deploy EDR with "Tamper Protection" enabled to prevent the actor from killing security processes.
- **Network Segmentation:** Isolate critical data backups and limit lateral movement through strict internal firewalls.