The Rise of The Gentlemen: A New Threat in Cybersecurity
On September 9, a new ransomware group known as The Gentlemen surfaced, drawing attention with its announcement of 32 global victims on its dark web leak site. This emergence marks a significant addition to the world of cybercrime, an area already rife with dangers.
An Eclectic Mix of Victims
The Gentlemen have targeted a diverse array of organizations, showcasing their reach across different sectors and countries. Among the reported victims are Shifa Hospital in Oman and PC Chandra Jewellers in India, as well as a financial research firm located in Sweden and a mattress manufacturer based in Morocco. This broad spectrum underscores the group’s ability to infiltrate various industries, demonstrating that no sector is truly safe from cyber threats.
Techniques and Tactics: How They Operate
What sets The Gentlemen apart is their advanced technical capabilities. They utilize a unique technique that allows them to outsmart antivirus programs and other IT security measures. Unlike other ransomware factions, The Gentlemen do not flaunt a manifesto or present themselves as ethical hackers. Instead, they choose to remain shrouded in mystery, focusing solely on their victims, with scant information about the volume of stolen data or any visual proof of their breaches.
In total, the group has now added two more victims—a target in Germany and another in Nepal—bringing their known total to 34. Importantly, nearly all of these cases have resulted in the publication of sensitive data directly on The Gentlemen’s leak site.
The Group’s Distinct Branding
This new group has also embraced the necessity of branding in the cyber world, presenting a logo that features a dapper gentleman clad in a suit, complete with a top hat and waxed moustache. The branding emphasizes a certain flair, albeit for a nefarious cause, which is intriguing in the context of hacktivism today. The leak site also provides a QR code linked to their communication details, making it accessible for those who may wish to reach out.
Insight from Trend Micro
Research from cybersecurity firm Trend Micro sheds light on The Gentlemen’s methods. Their investigation, initiated in August coinciding with the group’s activities, revealed the sophisticated techniques employed by the attackers. According to Trend Micro, “This threat actor quickly established itself within the threat landscape by demonstrating advanced capabilities through their systematic compromise of enterprise environments.” Such adaptability in their approach sets a concerning precedent for organizational security.
Exploiting Vulnerabilities
While Trend Micro was unable to pinpoint the exact initial access strategies, they indicated that The Gentlemen often exploit internet-facing services or compromised credentials to gain footholds within networks. Remarkably, these cybercriminals take their time to infiltrate a system, employing tools like Advanced IP Scanner for network reconnaissance to carefully map out a victim’s infrastructure and identify critical assets.
An anomaly in their tactics is the exploitation of legitimate drivers, allowing them a stealthy entry. They employ tools like All.exe paired with ThrottleBlood.sys to manipulate systems at a kernel level, effectively disabling security software processes as needed.
Methodical Approach to Data Theft
Following their initial infiltration, The Gentlemen escalate their intrusions using PowerRun.exe to elevate network privileges. They also leverage an enhanced evasion tool, Allpatch2.exe, which helps to further avoid detection with customized precision. The group’s meticulous tactics allow them to navigate through networks smoothly, preserving persistence through living-off-the-land techniques that gradually weaken security defenses.
Data collection is methodical, leading to eventual exfiltration. To ensure they maintain dominance, they neutralize essential services within the victim’s systems, including Windows Defender, prior to encrypting data and negotiating ransoms.
Understanding Their Impact
The campaign orchestrated by The Gentlemen is a reminder of the continuous evolution and sophistication of cybersecurity threats. Trend Micro notes, “Overall, the campaign highlights the threat actors’ understanding of enterprise security architectures, demonstrated through adaptive countermeasures specifically tailored to overcome deployed security solutions.” This understanding results in systematic data theft and the successful deployment of ransomware, maximizing the impact on victim organizations.
As of now, no Australian organizations have been reported as targets of The Gentlemen, but with their expanding portfolio, vigilance remains crucial for all sectors. For those interested, further insights into the group and its indicators of compromise (IOCs) can be found in ongoing cybersecurity discussions.
