A dangerous new ransomware group called The Gentlemen is targeting critical industries around the world using highly customized hacking tools and techniques.
Quick Summary – TLDR:
- The Gentlemen ransomware group has launched targeted attacks across 17 countries, focusing on manufacturing, healthcare, and insurance.
- They use custom-built tools to bypass enterprise-grade security and adapt their methods mid-campaign.
- Initial access is often gained via compromised credentials or internet-facing infrastructure, including FortiGate servers.
- Experts warn these tactics represent an evolution in ransomware strategy, increasing dwell time, damage, and recovery costs.
What Happened?
Since being discovered in August 2025, The Gentlemen ransomware group has rapidly expanded its operations across Asia Pacific, the United States, South America, and the Middle East. Security researchers from Trend Micro identified the group as a new and previously undocumented threat actor deploying sophisticated, targeted attacks. So far, at least 27 organizations have been affected, with Thailand and the US among the top targets.
🚨New Ransomware Group Identified: The Gentlemen
— Dark Web Informer (@DarkWebInformer) September 9, 2025
Onion: http://tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad[.]onion pic.twitter.com/n83Xcm2hZa
A Tailored Approach to Cybercrime
Unlike typical ransomware operators, The Gentlemen deploy customized attack chains tailored to each victim’s specific environment. From bypassing endpoint protections to exploiting Group Policy Objects (GPOs), their tactics show a deep understanding of enterprise systems.
- Advanced IP Scanner and Nmap are used for internal reconnaissance.
- A batch script named 1.bat is used to enumerate over 60 user accounts.
- They target domain admins and custom privileged groups like itgateadmin.
Once inside a network, they disable endpoint security using tools like All.exe, ThrottleBlood.sys, PowerRun.exe, and Allpatch2.exe, adapting each tool based on the defenses they find.
Persistence and Control
The attackers establish long-term access using AnyDesk and exploit registry settings to maintain persistence. They have also been observed using Group Policy Management tools (gpmc.msc and gpme.msc) to roll out malicious changes across domains.
- Firewall settings are modified to enable Remote Desktop Protocol (RDP).
- Encoded PowerShell scripts help identify the Primary Domain Controller (PDC) for more targeted attacks.
They ensure data exfiltration through WinSCP, a secure file transfer tool, before deploying their ransomware payload through the NETLOGON share.
Aggressive Impact and Cleanup
The ransomware not only encrypts files but also takes steps to disable recovery and evade forensic investigation:
- Deletes Windows Defender logs, RDP logs, Recycle Bin content, and prefetch files
- Disables Windows Defender using PowerShell commands
- Terminates critical services and processes associated with backups, databases, and antivirus software
- Drops a self-deleting batch script to clean traces after encryption is complete
Encrypted files are marked with a .7mtzhh extension, and a ransom note named README-GENTLEMEN.txt is left behind.
Who’s at Risk?
Manufacturing and construction sectors are most affected due to their low downtime tolerance, while healthcare faces threats to patient safety and protected health information (PHI). The insurance industry is another high-value target, holding aggregated risk data from thousands of companies.
“These sectors are prime targets due to their high-pressure operational environments and data sensitivity,” said Amit Jaju, Senior Managing Director at Ankura Consulting.
Conventional Defenses Are Falling Short
Experts agree that traditional security tools alone are not enough. Organizations must now adopt a multi-layered cybersecurity strategy:
- Behavioral monitoring using EDR/XDR tools
- Network segmentation and visibility
- Zero Trust access models
- Strict vendor and patch management
- Regular incident simulations and tabletop exercises
“Custom evasion techniques increase the chance of undetected breaches,” warned Manish Rawat of TechInsights. “This enables more targeted, high-impact attacks.”
SQ Magazine’s Takeaway
This is one of the most chilling ransomware campaigns I’ve seen this year. What makes The Gentlemen terrifying isn’t just their tech, it’s their patience and precision. These attackers study your defenses, adapt on the fly, and hit you where it hurts the most. This isn’t smash-and-grab ransomware. It’s a strategic invasion. If you’re in a vulnerable sector like manufacturing or healthcare, you need to act now. Patch your systems, lock down admin access, and prepare for a fight because these guys are not amateurs. They’re professionals with a playbook, and your data is their next move.
