Gentlemen Ransomware Exploits Drivers and Group Policies to Breach Organizations

The Gentlemen ransomware group has emerged as a sophisticated threat actor, demonstrating advanced capabilities through systematic compromise of enterprise environments across 17 countries.

Their campaign combines legitimate driver abuse, Group Policy manipulation, and custom anti-AV utilities to bypass enterprise endpoint protections, targeting manufacturing, construction, healthcare, and insurance sectors.

In August 2025, cybersecurity researchers identified a new ransomware campaign orchestrated by The Gentlemen, an emerging and previously undocumented threat group that quickly established itself within the threat landscape.

The campaign exposed highly sophisticated tactics that demonstrate the group’s ability to systematically compromise enterprise environments while adapting their tools mid-campaign from generic anti-AV utilities to highly targeted, specific variants.

The threat actor’s attack chain revealed several concerning capabilities. The group exploited legitimate drivers for defense evasion, abused Group Policy Objects (GPO) to facilitate domain-wide compromise, and deployed custom malicious tools specifically designed to disable security solutions present in targeted environments.

Their operational security practices included utilizing encrypted channels for data exfiltration via WinSCP and establishing redundant persistence mechanisms through both AnyDesk remote access software and modified registry settings.

The Gentlemen’s tactics represent an evolution in ransomware operations where attackers conduct extensive reconnaissance, resulting in tailored bypasses for the specific defenses they encounter.

This approach represents a significant shift from opportunistic attacks toward systematic analysis of security software documentation, combined with abuse of legitimate tools and vulnerable drivers to deploy environment-specific evasion techniques.

The ransomware group has been targeting organizations across multiple sectors, with manufacturing bearing the heaviest impact, followed closely by construction, healthcare, and insurance industries.

The group’s attacks on essential services such as healthcare highlight their disregard for critical infrastructure and potential public safety implications. Key target countries include Thailand and the United States, with attacks spanning at least 17 countries total.

The substantial victim count, coupled with the lack of prior threat intelligence, suggests either a rebranding effort by experienced operators or the emergence of a well-funded new entrant within the ransomware ecosystem.

Their sophisticated methodologies enable organizations to proactively identify their tools, tactics, and procedures (TTPs), implement targeted defensive measures, and prepare incident response plans aligned with these observed behaviors.

Multi-Stage Attack Methodology

The group’s initial defense evasion strategy centered on deploying sophisticated techniques involving legitimate signed drivers to perform kernel-level manipulation, effectively terminating security software processes that would normally be shielded from termination.

After recognizing limitations of their initial approach, the threat actors shifted tactics and began conducting detailed reconnaissance of endpoint protection mechanisms in place, allowing them to identify specific security controls and tailor their methods accordingly.

During the discovery phase, the threat actor examined Active Directory structures, focusing on domain administrators, enterprise administrators, and custom privilege groups.

They demonstrated extensive environmental awareness by querying local groups, including standard administrative groups and virtualization-specific groups such as VMware, indicating preparation for lateral movement across both physical and virtualized infrastructure components.

The attackers leveraged legitimate tools like PsExec for lateral movement while systematically weakening security controls by modifying critical registry settings governing authentication and remote access protocols.

To maintain persistent command-and-control access, they relied on AnyDesk, creating a remote access channel resilient to traditional incident response actions.

They further expanded situational awareness by downloading, installing and executing network mapping tools for comprehensive internal network scanning.

Evidence indicates the possible compromise of FortiGate administrative accounts, with network scans originating from privileged contexts.

This suggests the threat actors had compromised critical network security infrastructure, potentially granting them extensive visibility and control over network traffic.

Investigation confirmed that the FortiGate server was directly accessible from the internet, likely serving as the attackers’ entry point into the network.

The ransomware was ultimately deployed throughout the domain’s NETLOGON share, ensuring widespread distribution across all domain-joined systems. The payload was password-protected, likely to evade automated sandbox analysis.

Prior to encryption, built-in Windows Defender was neutralized through PowerShell commands, and firewall rules were modified to ensure persistent access for negotiation and additional extortion activities.

Enhanced Security Measures

The campaign highlights the threat actors’ understanding of enterprise security architectures, demonstrated through adaptive countermeasures specifically tailored to overcome deployed security solutions, systematic data theft for double extortion, and successful deployment of ransomware using domain administrator privileges for maximum impact.

The Gentlemen ransomware campaign illustrates the rapid evolution of modern ransomware threats, blending advanced technical sophistication with persistent, targeted operations.

This campaign is distinguished by its use of custom-built tools for defense evasion, its ability to study and adapt to deployed security software, and its methodical abuse of both legitimate and vulnerable system components to subvert layered enterprise defenses.

Organizations are strongly advised to review their security posture, focusing on proactive threat hunting for group-specific tools, tactics, and procedures, strengthening of endpoint and network protections, and continuous refinement of incident response strategies.

Particular attention should be given to monitoring for anomalous administrative activity, abuse of legitimate tools for lateral movement and privilege escalation, and early indications of defense evasion efforts targeting security solutions.

The campaign’s impact on critical infrastructure and use of double extortion techniques underscores the significant risk this threat actor poses to organizations globally.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.