Inside The Gentlemen
Operational Tactics, Victimology, and Global Impact

Overview and Recent Claimed Attacks

The Gentlemen is a ransomware group that emerged in 2025, marked by advanced tradecraft and highly targeted operations. The group employs customized tooling to evade enterprise defenses, combining the abuse of legitimate but vulnerable drivers, manipulation of Group Policy, and bespoke anti-antivirus utilities. Since its appearance, The Gentlemen has run campaigns against organizations in 17 countries, focusing on critical sectors such as manufacturing, construction, healthcare, and insurance.

Within months, the group claimed dozens of successful attacks: as of September 2025 there were already 27 known victims globally (with clusters in Thailand and the U.S.), rising to 32 confirmed victims on their leak site by 2025‑09‑15. The latest incidents span Asia to Europe, including industrial operators and healthcare institutions. If ransoms are not paid, the group publishes stolen data on its darknet blog (double extortion).

Their data leak site (DLS) on Tor features a clean, professional design with logo and motto, and exposes a public TOX ID for encrypted negotiations. This attention to OPSEC and branding points to a disciplined, detail‑oriented operation. The lack of prior history combined with a high victim count in a short time suggests either a rebrand of seasoned ransomware operators or a new, well‑funded criminal crew.

Group History and Interactions with Other Ransomware Groups

The Gentlemen entered the cybercrime scene in Q3 2025, launching a Tor leak site and starting coordinated victim disclosures. Forensic evidence indicates operations likely began earlier: several attacks later claimed on their DLS date back to mid‑2025, showing the gang was active before going public. In August 2025, Trend Micro researchers documented the The Gentlemen campaign for the first time, highlighting mature capabilities reminiscent of experienced operators—fueling speculation of links with known crews. While there is no confirmation, The Gentlemen could be a revival of an existing group (e.g., splinters of ex‑Conti/Trickbot) or a new outfit founded by ransomware veterans.

So far, no explicit collaborations or direct conflicts with other ransomware gangs have surfaced. The Gentlemen appears to operate independently, using their own infrastructure and custom toolkit rather than renting malware. Some observed techniques—such as BYOVD (Bring Your Own Vulnerable Driver) to disable AV—mirror trends across recent ransomware families, indicating knowledge sharing in the cybercriminal ecosystem. For example, the legitimate driver ThrottleStop.sys (renamed ThrottleBlood.sys) abused to kill security processes had been discussed in underground circles, suggesting they track and integrate effective TTPs without formal alliances.

In short, The Gentlemen’s history is brief but intense: likely formed in early 2025, rapid ascent through summer 2025, and industry attention by September 2025. No targeted law‑enforcement actions have been reported to date, and the group remains active and evolving. Analysts are watching for future ties with other entities (partnerships or clashes with established RaaS crews), as the post‑Conti landscape often features reorganizations and rebrands under new names.

Linear Timeline of Events

Notable Victims

Healthcare

• Shifa Hospital (Oman, private hospital)
• Laboratorio Clínico Santa Rita (Costa Rica, clinical analysis lab)
• Biolap Soluciones Médicas (Mexico, biomedical supplies)
• InjectSense Inc. (USA, implantable medical devices)
• Ophtazon (France, medical e‑commerce platform)

These incidents show a dangerous propensity to hit healthcare, risking operational continuity and patient safety.

Industrial

• Proplastics Ltd (Zimbabwe, PVC pipe manufacturing)
• Grupo Halcón (Spain, ceramic manufacturing for construction)
• JN Aceros (Peru, steel and metallurgical supplies)
• AB Mauri India (India, industrial baking ingredients)
• Kuwait Portland Cement Co. (Kuwait, cement industry)

The group clearly targets manufacturing and production plants, sectors with low tolerance for downtime and therefore higher ransom pressure.

Public Sector

• Wharton Independent School District (Texas, USA – public school district)
• Lycée Français de San Salvador (El Salvador – AEFE network school)
• CERES (Uruguay – economic research center)

Targeting educational and non‑profit entities underscores a lack of scruples, creating public‑service disruption.

Other Sectors

• Oriental de Seguros (Panama, insurance)
• Venezuela Re (Venezuela, reinsurance)
• PC Chandra Jewellers (India, jewelry retail)
• Algorithmica Research (Sweden, financial software)
• Kandeo (Colombia, investment fund)

These cases demonstrate targeting across financial services, retail, and technology. Hitting insurers and funds implies exfiltration of highly sensitive data (policies, financial records) with severe regulatory and reputational risks.

Financial Data and Ransom Demands

• Average and Peak Demands: No precise public figures yet. Given victim profiles (mid‑to‑large enterprises in critical sectors), experts estimate demands in the hundreds of thousands to millions of USD per victim. The lack of public payment disclosures suggests tight confidentiality.
• Currencies: Most likely Bitcoin. There is no public indication of Monero or other privacy coins in use, but given their OPSEC posture, willingness to accept them cannot be ruled out. The use of a public TOX ID already demonstrates privacy‑oriented tooling.
• Negotiation Strategy: Double extortion. After encryption, victims are threatened with leak‑site publication of stolen data. The DLS lists descriptions of exfiltrated data per victim. Communication occurs via encrypted channels: a public TOX ID (and QR code) is provided to negotiate privately, avoiding centralized chat portals that could be intercepted or taken down—raising the bar for external intervention and signaling robust OPSEC.
• Estimated Total Revenue: Hard to assess. With 30+ claimed victims in a few months and even assuming a modest payment rate, proceeds could reach several million USD. Ongoing operations indicate sufficient funding for further attacks (infrastructure, custom tool development). Post‑September 2025 visibility may push demands higher, leveraging fear and perceived invulnerability.

Techniques Used

Initial Access

• Exploitation of exposed services (T1190): documented compromises of FortiGate devices with open administrative access; in at least one case the victim’s Fortinet firewall/VPN was used as a beachhead. Web‑app flaws and weak/compromised RDP/VPN credentials (T1078.002) are plausible vectors.
• Compromised credentials: many intrusions begin with pre‑obtained admin accounts (via phishing or dark‑web trade). Early presence of tools like Advanced IP Scanner suggests privileged footholds from the outset, enabling quiet lateral movement and domain‑wide deployment.

Execution and Propagation

• Arbitrary code execution (T1059): extensive use of batch scripts (e.g., 1.bat), PowerShell, and Windows commands to enumerate AD, disable services, purge logs, and prepare systems for encryption (e.g., net stop, taskkill).
• Lateral movement via Windows admin tooling (T1021): heavy use of PsExec for remote command execution; Group Policy Objects (GPO) manipulated at domain level to distribute payloads (e.g., startup scripts in NETLOGON) across joined machines. Recon with Advanced IP Scanner; in at least one case, a compromised FortiGate admin account was used to run internal Nmap scans.

Persistence

• Abuse of remote‑access software: deployment of AnyDesk as a persistent service to maintain encrypted C2 even after reboots, often blending with legitimate IT use. RDP settings are tweaked (e.g., registry SecurityLayer) to weaken NLA and permit persistent RDP with stolen creds.
• Security configuration tampering: registry alterations (LSA, NTLM) and Windows Defender exclusions; potential creation of new user accounts (T1136). Compromised GPOs also provide domain‑level persistence.

Exfiltration and Destruction

• Encrypted exfiltration channels (T1048.001): WinSCP over SFTP/SSH to upload prepared archives to remote servers over port 22, blending with allowed admin traffic.
• Evidence wiping and backup sabotage (T1485, T1486): forced termination of backup/DB/AV services; deletion of event logs via wevtutil and RDP logs; Defender cache/prefetch cleaning; global Defender exclusions; disabling real‑time protection; shadow copy deletion via vssadmin/wmic; final self‑delete batch to purge artifacts.

Tools Used

Remote Access Tools (RAT)

• AnyDesk: legitimate remote desktop tool abused for persistent access (service at startup) and encrypted C2; often deployed on DCs as a resilient backdoor.
• RDP with compromised accounts: Windows RDP leveraged using stolen admin creds; system settings altered to lower transport security and maintain sessions for lateral movement (T1021.001).

Encryption Malware and Ransomware Payload

• “The Gentlemen” ransomware: proprietary encryptor leaving README‑GENTLEMEN.txt in each directory with a victim ID and TOX contact. Encrypted files bear the extension .7mtzhh. Execution requires a specific 8‑byte password parameter as an anti‑analysis measure. Prior to encryption it kills backup/DB/AV processes, deletes shadow copies and logs, and disables Defender; afterward it self‑deletes.

Encryption Support Utilities

• All.exe / Allpatch2.exe: custom AV killers that abuse the vulnerable driver ThrottleBlood.sys (derived from ThrottleStop.sys) to gain kernel privileges and terminate security products—preparing the ground for the encryptor.
• Final cleanup batch: a script dropped/executed post‑encryption to wipe payloads and itself.

Lateral Movement

• PsExec: remote command execution and payload staging via ADMIN$ shares (T1570).
• Nmap: internal discovery (T1046), often from privileged footholds (e.g., via a compromised FortiGate admin account).

Data Exfiltration

• WinSCP (SFTP) as the primary data‑exfil client.
• Rclone (hypothesized) for cloud uploads when SFTP is constrained.

Living‑off‑the‑Land (LoL) Tools

• PowerRun: to execute with SYSTEM privileges for priv‑esc and protection disablement.
• Advanced IP Scanner: quick internal asset enumeration immediately post‑foothold.

Geographic Trends

Note: Overall, The Gentlemen has claimed victims in at least 17 countries, with concentrations in APAC and the Americas. Targeting appears driven by access opportunities (e.g., exposed systems in specific regions) rather than explicit geopolitics. In Europe, confirmed intrusions include France and Spain; no declared attacks in Italy so far (subject to continuous updates). Trend Micro’s report visualizes the distribution, with Thailand and the U.S. as hotspots, followed by India, Mexico, Colombia, and others.

Law Enforcement Actions

• Monitoring and Alerts: Given victim clusters (e.g., Thailand), national CERTs likely issued internal advisories; in the U.S., FBI private‑sector notifications may include IoCs. No public, group‑specific bulletins have been observed yet.
• No known arrests: No public identifications or arrests of gang members. Use of Tor and encrypted comms (TOX) hampers traceability. International bodies (Interpol/Europol) are presumably collecting intel; no public takedowns reported.
• Infrastructure seizures: The Tor leak site remains online as of 2025‑09‑15; no public sinkholes or confiscations disclosed.
• Official statements: No dedicated FBI/Europol/ANSSI/CERT‑EU/CISA public statements specific to The Gentlemen to date. Future governmental threat reports may list the group as “emerging.”

Source Transparency