Full Report
Kaspersky researchers analyze incidents related to The Gentlemen RaaS group, disclose their tools and TTPs, and find a new ransomware variant.
Analysis Summary
# Threat Actor: The Gentlemen
## Attribution & Identity
**The Gentlemen** is a Ransomware-as-a-Service (RaaS) group. While specific individual attribution is not provided, the group is identified as a developer and distributor of a relatively new ransomware strain.
- **Aliases:** N/A
- **Known Associations:** The group’s tactics and code base show similarities to modern RaaS operations, but it is currently characterized as a distinct emerging entity.
## Activity Summary
The group was identified by Kaspersky researchers through the analysis of several successful incidents. Their recent operations involve a multi-stage infection chain where they deploy a bespoke ransomware variant designed to encrypt corporate data and demand payment in cryptocurrency. They focus on internal network lateral movement before the final deployment of the payload.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploitation of exposed services and RDP brute-forcing.
- **Credential Access:** Dumping credentials from memory using tools like Mimikatz **[T1003]**.
- **Lateral Movement:** Use of RDP and SMB to traverse the network **[T1021]**.
- **Defense Evasion:**
- Disabling security software via PowerShell scripts **[T1562.001]**.
- Clears event logs to hide traces of activity **[T1070.001]**.
- **Data Encrypting for Impact:** Deploying the "Gentlemen" ransomware variant which appends a specific extension to files and drops a ransom note **[T1486]**.
## Targeting
- **Sectors:** Private sector enterprises (general industrial/corporate focus).
- **Geography:** Global, though specific focuses were noted in regions where legacy Windows systems remain prevalent.
- **Victims:** Specific organizations were not named in the report to maintain victim confidentiality.
## Tools & Infrastructure
- **Malware families:**
- **Gentlemen Ransomware:** A new variant analyzed by researchers.
- **Mimikatz:** Used for credential harvesting.
- **AnyDesk/ScreenConnect:** Legitimate remote desktop tools used for persistence and control.
- **Infrastructure:**
- Deployment of scripts through local administrative shares.
- C2 communications often utilize legitimate cloud services to blend with normal traffic.
- **Domains/IPs:** (Note: Specific IoCs provided in the research include various defanged IPs used for lateral staging, typically local or VPN-based).
## Implications
The emergence of "The Gentlemen" indicates a diversifying RaaS market where new players are adopting proven TTPs from larger, established groups. Their ability to successfully navigate corporate networks and disable security products suggests a high level of technical competency. This group poses a significant threat to medium-to-large enterprises with inconsistent patch management or exposed remote access services.
## Mitigations
- **Multi-Factor Authentication (MFA):** Enforce MFA on all remote access points, particularly RDP and VPNs.
- **Network Segmentation:** Implement strict segmentation to prevent lateral movement from compromised endpoints to critical servers.
- **Endpoint Protection:** Use EDR/XDR solutions with tamper-protection enabled to prevent the actor from disabling security services.
- **Log Monitoring:** Centralize logs and monitor for unauthorized use of administrative tools (e.g., Mimikatz, PowerShell) and the clearing of Windows Event Logs.
- **Offline Backups:** Maintain immutable, offline backups to ensure recovery without paying ransoms.