A new threat actor, The Gentlemen, has emerged as a fast-moving ransomware group that has rapidly expanded its activity across Asia Pacific, South America, the US, and the Middle East. First identified in August, the group has already hit organizations in 17 countries, with victims spanning across manufacturing, construction, healthcare, and insurance.
Trend Micro has classified The Gentlemen as a previously undocumented ransomware operation that employs adaptive tactics to bypass enterprise-grade security defenses. The threat actor leverages legitimate drivers for defense evasion, abuses Group Policy Objects (GPOs) to facilitate domain-wide compromise, and deploys custom malicious tools designed to disable endpoint security.
Tailored attack playbook
The investigation indicates that internet-facing services or compromised credentials are exploited to establish an initial foothold.
It is a calculated entry strategy as the group deploys reconnaissance tools such as Advanced IP Scanner to gain knowledge of the network layout and identify valuable targets.
The group examines Active Directory structures, focusing on domain administrators, enterprise administrators, and custom privilege groups such as itgateadmin.
The threat actor also uses a batch script named 1.bat to perform mass account enumeration, querying more than 60 user accounts across the domain infrastructure.
“They also demonstrated extensive environmental awareness by querying local groups, including standard administrative groups and virtualization-specific groups such as VMware, indicating preparation for lateral movement across both physical and virtualized infrastructure components,” Trend Micro said.
While the initial strategy to avoid being caught was centered on deploying All.exe in conjunction with ThrottleBlood.sys, the threat actors conducted a detailed inspection of the endpoint protection mechanisms to identify specific security controls to tailor methods accordingly.
The PowerRun.exe tool was used to abuse privilege escalation to disable or terminate security-related services and processes. Next, to neutralize key security agent components, the customized version of the Allpatch2.exe tool was introduced.
For lateral movements, PsExec was leveraged to systematically weaken security controls by modifying critical registry settings that govern authentication and remote access protocols.
To maintain persistent command-and-control (C&C) access, the threat actors relied on AnyDesk and expanded situational awareness by downloading, installing, and executing Nmap for comprehensive internal network scanning.
The data was exfiltrated through the file transfer tool WinSCP, and the ransomware was deployed throughout the domain’s NETLOGON share. The payload was password-protected to evade automated sandbox analysis. The ransomware also attempts to terminate key services commonly associated with backup, database, and security processes to maximize its impact.
These deliberately tailored evasion techniques to bypass endpoint security solutions put enterprises at a heightened risk.
“Custom evasion techniques increase the chance of undetected breaches, allowing longer dwell times, data exfiltration, or operational disruption,” said Manish Rawat, analyst at TechInsights. “This enables more targeted, high-impact attacks, amplifying financial, reputational, and regulatory exposure. By studying vendor documentation, attackers craft methods that bypass generic defenses, escalating overall threat sophistication. Security teams experience operational strain, with higher alert volumes and the challenge of distinguishing subtle threats from benign activity.”
High-stakes industries make prime targets
The attacks have been spread across 17 countries, with Thailand and the US being the top targets, followed by Venezuela and India. The Gentlemen ransomware group already has a victim count of 27, with manufacturing and construction industries being the key targets, followed by healthcare, insurance, and others.
“These sectors are prime targets due to their high-pressure operational environments and data sensitivity,” said Amit Jaju, senior managing director at Ankura Consulting. “Manufacturing and construction have a low tolerance for downtime, making them more likely to pay to restore OT systems. Healthcare, on the other hand, holds valuable protected health information, and the risk to patient safety creates immense pressure to resolve incidents quickly. Insurance is a strategic target, holding aggregated risk data from thousands of other companies, making it a uniquely valuable data repository.”
These sectors have large operational footprints, high-value data, complex network environments, and are often under-resourced in cybersecurity relative to their threat exposure. “The complex supply chains with many vendors, shared credentials, and remote access create a broad attack surface. In addition, they usually have thin IT staffing at plants and branch sites,” said Pareekh Jain, CEO at EIIRTrend & Pareekh Consulting.
Conventional defenses aren’t enough
As ransomware actors are becoming increasingly adaptive to bypass defenses, experts acknowledge that conventional endpoint protection is no longer enough. CISOs must focus on multi-layered resilience, emphasizing zero-trust and least-privilege access to restrict lateral movement.
“Behavioral monitoring via advanced EDR/XDR solutions is crucial, as static signatures alone are insufficient. Proactive threat hunting, combined with threat intelligence, helps detect early signs of intrusion and ransomware tools,” Rawat said. Strict vendor and patch management reduces exploitable vulnerabilities, while regular incident simulations and tabletop exercises enhance response readiness and uncover security blind spots.
According to Jaju, CISOs must focus on achieving network visibility and segmentation. They should deploy NDR tools to detect lateral movement, and aggressively segment networks to contain breaches and prevent attackers from reaching critical assets like OT systems and backups.
No Responses