--- title: "The Gentlemen Ransomware Group Targets Global Industries with Sophisticated Attacks" date: 2025-09-12 author: "Sofia Ramirez" featured_image: "https://sqmagazine.co.uk/wp-content/uploads/2025/09/the-gentleman-ransomware-targets-industries.jpg" categories: - name: "Cybersecurity" url: "/cybersecurity.md" tags: - name: "News" url: "/tag/news.md" --- # The Gentlemen Ransomware Group Targets Global Industries with Sophisticated Attacks A dangerous new ransomware group called The Gentlemen is targeting critical industries around the world using highly customized hacking tools and techniques. ## Quick Summary – TLDR: - The Gentlemen ransomware group has launched targeted attacks across 17 countries, focusing on manufacturing, healthcare, and insurance. - They use custom-built tools to bypass enterprise-grade security and adapt their methods mid-campaign. - Initial access is often gained via compromised credentials or internet-facing infrastructure, including FortiGate servers. - Experts warn these tactics represent an evolution in ransomware strategy, increasing dwell time, damage, and recovery costs. ## What Happened? Since being discovered in **August 2025**, The Gentlemen ransomware group has rapidly expanded its operations across Asia Pacific, the United States, South America, and the Middle East. Security researchers from **[Trend Micro](https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html)** identified the group as a **new and previously undocumented threat actor** deploying sophisticated, targeted attacks. So far, **at least 27 organizations** have been affected, with **Thailand and the US** among the top targets. > 🚨New Ransomware Group Identified: The Gentlemen > > Onion: http://tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad\[.\]onion [pic.twitter.com/n83Xcm2hZa](https://t.co/n83Xcm2hZa) > > — Dark Web Informer (@DarkWebInformer) [September 9, 2025](https://twitter.com/DarkWebInformer/status/1965470635620175937?ref_src=twsrc%5Etfw) ## A Tailored Approach to Cybercrime Unlike typical [ransomware](https://sqmagazine.co.uk/ransomware-statistics/) operators, **The Gentlemen** deploy **customized attack chains** tailored to each victim’s specific environment. From **bypassing endpoint protections** to exploiting **Group Policy Objects (GPOs)**, their tactics show a deep understanding of enterprise systems. - **Advanced IP Scanner** and **Nmap** are used for internal reconnaissance. - A batch script named **1.bat** is used to enumerate over 60 user accounts. - They target **domain admins** and custom privileged groups like **itgateadmin**. Once inside a network, they **disable endpoint security** using tools like **All.exe**, **ThrottleBlood.sys**, **PowerRun.exe**, and **Allpatch2.exe**, adapting each tool based on the defenses they find. ## Persistence and Control The attackers establish long-term access using **AnyDesk** and exploit **registry settings** to maintain persistence. They have also been observed using **Group Policy Management tools (gpmc.msc and gpme.msc)** to roll out malicious changes across domains. - **Firewall settings** are modified to enable Remote Desktop Protocol (RDP). - **Encoded PowerShell scripts** help identify the **Primary Domain Controller (PDC)** for more targeted attacks. They ensure **data exfiltration** through **WinSCP**, a secure file transfer tool, before deploying their ransomware payload through the **NETLOGON share**. ## Aggressive Impact and Cleanup The ransomware not only encrypts files but also takes steps to **disable recovery** and **evade forensic investigation**: - **Deletes** Windows Defender logs, RDP logs, Recycle Bin content, and **prefetch files** - **Disables Windows Defender** using PowerShell commands - **Terminates** critical services and processes associated with **backups, databases, and antivirus software** - Drops a self-deleting **batch script** to clean traces after encryption is complete Encrypted files are marked with a **.7mtzhh** extension, and a ransom note named **README-GENTLEMEN.txt** is left behind. ## Who’s at Risk? **Manufacturing and construction** sectors are most affected due to their **low downtime tolerance**, while **[healthcare](https://sqmagazine.co.uk/ai-in-healthcare-statistics/)** faces threats to **patient safety** and **protected health information (PHI)**. The **insurance industry** is another high-value target, holding **aggregated risk data** from thousands of companies. “These sectors are prime targets due to their high-pressure operational environments and data sensitivity,” said **Amit Jaju**, Senior Managing Director at Ankura Consulting. ## Conventional Defenses Are Falling Short Experts agree that traditional security tools alone are not enough. Organizations must now adopt a **multi-layered [cybersecurity](https://sqmagazine.co.uk/cybersecurity-attacks-statistics/) strategy**: - **Behavioral monitoring** using EDR/XDR tools - **Network segmentation** and visibility - **Zero Trust access models** - **Strict vendor and patch management** - **Regular incident simulations and tabletop exercises** “Custom evasion techniques increase the chance of undetected breaches,” warned **Manish Rawat** of TechInsights. “This enables more targeted, high-impact attacks.” ## SQ Magazine’s Takeaway This is one of the **most chilling ransomware campaigns** I’ve seen this year. What makes The Gentlemen terrifying isn’t just their tech, it’s their patience and precision. These attackers **study your defenses**, adapt on the fly, and hit you where it hurts the most. This isn’t smash-and-grab ransomware. It’s a **strategic invasion**. If you’re in a vulnerable sector like manufacturing or healthcare, **you need to act now**. Patch your systems, lock down admin access, and **prepare for a fight** because these guys are not amateurs. They’re professionals with a playbook, and your data is their next move.