TheGentleman operates a RaaS model, prioritizing remote access vulnerability exploitation. Employs Cobalt Strike for C2 and lateral movement. Conducts double extortion, encrypting systems and exfiltrating sensitive data. Deletes backups to impede recovery efforts. Impacts business continuity and data integrity.
Chronology and Evolution
-
Mid-2022: TheGentleman group emerges, initially employing Golang-based ransomware variants. This initial phase focused on testing access vectors, prioritizing exposed RDP exploitation. Operational impact was limited to small and medium-sized businesses.
-
Early 2023: TheGentleman transitions to a RaaS model, recruiting affiliates via underground forums. This transition significantly expanded their reach. Adopting the RaaS model allowed the group to scale attacks, targeting larger, more lucrative organizations.
-
Mid-2023: A shift in ransomware infrastructure is observed, with new variants including Linux and ESXi system support. This evolution enabled the group to impact virtual environments and critical databases. Operational impact extended to high-level business continuity.
-
Late 2023: TheGentleman launches its dedicated leak site, ‘TheGentleman Dumps’, to enforce double extortion. This initiative increased pressure on victims to pay. Victim visibility on the leak site enhanced the group’s reputation among other threat actors.
-
Early 2024: The adoption of new initial access tactics is documented, including targeted phishing campaigns with malicious documents. This shift in focus enabled evasion of more robust perimeter defenses. The sophistication of their social engineering methods improved initial compromise success rates.
Attack Summary
| Phase | Description |
|---|---|
| Initial Access | Gains initial access by exploiting vulnerabilities in VPN appliances and exposed RDP. Leverages CVEs such as CVE-2023-46805 in Fortinet or CVE-2022-22965 in Spring Cloud. |
| Credential Access | Once inside, the group uses Mimikatz to dump credentials from LSASS. They also deploy LaZagne to extract passwords from web browsers and FTP clients. |
| Persistence and Evasion | They establish persistence by creating new local or domain administrator accounts. They modify legitimate Windows services and scheduled tasks to execute persistent payloads. |
| Lateral Movement | The group employs PsExec and PowerShell Remoting to move laterally across the network. They use stolen credentials to access other systems via SMB and RDP. |
| Exfiltration | They collect sensitive data from file servers, databases, and SharePoint locations. Data is staged in temporary directories or compressed into password-protected ZIP files. |
| Encryption | Ransomware uses a combination of AES-256 for symmetric file encryption and RSA-4096 for the session key. Each encrypted file receives a unique AES key, which is then encrypted with a public RSA key. |
| Impact and Destruction | The group executes vssadmin delete shadows and wmic shadowcopy delete commands to remove all volume shadow copies. They disable recovery boot with bcdedit /set {default} recoveryenabled No. |
Initial Access
Gains initial access by exploiting vulnerabilities in VPN appliances and exposed RDP. Leverages CVEs such as CVE-2023-46805 in Fortinet or CVE-2022-22965 in Spring Cloud. Performs brute-force or credential stuffing attacks against public-facing internet services.
Credential Access
Identity compromise is core to TheGentleman operations. Threat actors typically perform LSASS dumping via tools like Mimikatz or Procdump, aiming to harvest cached credentials, NTLM hashes, Kerberos tickets, or browser-stored passwords. Active Directory enumeration is also frequently used to identify high-privilege targets.
They seek cleartext passwords from internal databases or local configuration files.
Persistence and Evasion
TheGentleman prioritizes stealthy persistence via scheduled tasks and the misuse of legitimate RMM tools.
They establish persistence by creating new local or domain administrator accounts. They modify legitimate Windows services and scheduled tasks to execute persistent payloads. They also manipulate Group Policies to disable security solutions.
Lateral Movement
They also compromise ESXi hosts via SSH using stolen administrative credentials.
Exfiltration
They collect sensitive data from file servers, databases, and SharePoint locations. Data is staged in temporary directories or compressed into password-protected ZIP files. Rclone is used to transfer large volumes of data to cloud services like Mega or controlled SFTP servers.
Encryption
The TheGentleman encryptor implements a multithreaded hybrid model protecting data with symmetric algorithms like AES-256 or ChaCha20, wrapping the per-file key with RSA-2048 or RSA-4096. Depending on the target (Windows, Linux, or VMware ESXi), variants use partial or optimized encryption modes with specialized key exchange protection.
The ransomware avoids encrypting critical system files to maintain basic operability.
Impact and Destruction
The group executes vssadmin delete shadows and wmic shadowcopy delete commands to remove all volume shadow copies. They disable recovery boot with bcdedit /set {default} recoveryenabled No. They also delete network backups and virtual machine snapshots in ESXi environments, preventing data recovery without the decryptor.
Victims and Geography
Victims are primarily concentrated in North America and Western Europe. We observe attacks across sectors like manufacturing, healthcare, higher education, and financial services. Victim selection indicates a focus on profitability and access to sensitive data or critical infrastructure.
Sources
- Unit 42 by Palo Alto Networks: Ransomware Group Analysis
- SentinelOne Labs: Ransomware Trends
- BleepingComputer: Ransomware News
- CrowdStrike Blog: Threat Intelligence Updates
- Cisco Talos Intelligence: Advanced Threat Research
- Sophos Labs: Threat Research
Target Sectors
Sectors in which the TheGentleman group has concentrated its attacks.
They seek to disrupt supply chains and steal intellectual property. Design and production data are key targets. Operational disruption causes significant economic impact.
Targeted due to service criticality and Protected Health Information (PHI). Service disruption can put lives at risk. Stolen medical records hold high value on the black market.
Targeted for large volumes of research and personal data. Complex infrastructures are often less secure. Academic disruption and research data leaks are common impacts.
Attacked for customer and transactional data, seeking high ransom payments. Operational disruption causes significant loss of trust. Access to financial information is extremely valuable.
Targeted for citizen information and disruption of public services. Government networks often have limited security resources. Disruption of essential services directly impacts the populace.
Detection & Response Rules
Rules ready to import into SentinelOne XDR. Contact us for full access to the updated repository.
Detects the execution of Mimikatz or similar tools for credential dumping from the LSASS process. Early detection is crucial to prevent lateral movement. Observing this process suggests a credential theft attempt.
EventType = 'Process Creation' AND TgtProcName = 'lsass.exe' AND TgtProcCmdLine CONTAINS_ANY ('dump', 'sekurlsa')Identifies the execution of PsExec or the 'PSEXESVC' remote service on hosts. This activity can indicate lateral movement. Monitoring these processes is vital for containing propagation.
EventType = 'Process Creation' AND (TgtProcName = 'psexec.exe' OR TgtProcName = 'PSEXESVC.exe')Alerts on the use of `vssadmin.exe` or `wmic.exe` to delete volume shadow copies. This is a common step before ransomware encryption. Detecting these commands prevents destruction of recovery points.
EventType = 'Process Creation' AND (TgtProcCmdLine CONTAINS 'vssadmin delete shadows' OR TgtProcCmdLine CONTAINS 'wmic shadowcopy delete')Detects Rclone execution with cloud upload parameters. This is a clear sign of data exfiltration. Monitoring Rclone prevents the leakage of sensitive information.
EventType = 'Process Creation' AND TgtProcName = 'rclone.exe' AND TgtProcCmdLine CONTAINS_ANY ('copy', 'sync', 'move') AND TgtProcCmdLine CONTAINS_ANY ('mega', 'dropbox', 's3', 'ftp')Identifies the creation of new local user accounts with elevated privileges. The group uses this to establish persistence. Reviewing account creation prevents unauthorized access.
EventType = 'Process Creation' AND TgtProcName = 'net.exe' AND TgtProcCmdLine CONTAINS 'user' AND TgtProcCmdLine CONTAINS '/add'Detects PowerShell commands attempting to disable Windows Defender or add exclusions. This action often precedes ransomware deployment. Preventing AV tampering keeps defenses active.
EventType = 'Process Creation' AND TgtProcName = 'powershell.exe' AND TgtProcCmdLine CONTAINS_ANY ('Set-MpPreference', 'Disable-MpProtection')Alerts on unusual or repeatedly failed SSH logins to ESXi hosts. The group uses SSH to execute encryption commands. Monitoring SSH access protects virtual infrastructure.
EventType = 'Network Connection' AND TgtFilePath CONTAINS 'ssh' AND TgtIpAddress = 'ESXI_HOST_IP' AND NetworkAction = 'Connected'