ALL MENU

Technology
S2W's Technology
AI
Big Data
Security
Products
SAIP
QUAXAR
XARVIS
EYEZ
Services
AI Data Consulting
Penetration Testing
Incident Response
Request for Intelligence
Resources
Event
Webinar
SIS
Conference
About S2W
About S2W
History
News

QUICK LINKS

Resources
  • Research
  • Threat Intelligence Reports
The Gentlemen Ransomware Analysis Report
2026.05.26

✅ Report Title: The Gentlemen Ransomware Analysis Report



✅ Executive Summary:


📌 What Is The Gentlemen Ransomware


- The Gentlemen ransomware is a group that has rapidly expanded its influence in a short period since it first appeared in July 2025.


- According to PRODAFT, before expanding into RaaS, it is estimated that they accumulated experience by utilizing various RaaS platforms such as Qilin, Embargo, LockBit, Medusa, and BlackLock, and based on this, developed The Gentlemen platform.



The Gentlemen's Data Leak Site (DLS)



📌 TTPs (Tactics, Techniques, Procedures)


- According to the report, The Gentlemen group exploited the authentication bypass vulnerability CVE-2024-55591 (Exploit Public-Facing Application, T1190) in the FortiGate firewall to carry out the initial intrusion, then took control of the firewall with super-admin privileges, created backdoor accounts, compromised system configuration files, and secured persistent access paths through SSLVPN.


- Following initial access, PowerShell remote access was enabled (PowerShell, T1059.001), and NetExec was leveraged to collect credentials through SMB share creation (SMB/Windows Admin Shares, T1021.002), WinRM access, and NTLM Relay attacks.


- For account creation and persistence, a new domain account named "MicrosoftSupporte" was created (Domain Account, T1136.002) and added to the Domain Admins group and Veeam (Additional Local or Domain Groups, T1098.007), confirming that administrative control over the backup infrastructure was secured.


- In the defense evasion phase, AV/EDR is disabled through registry manipulation(Modify Registry, T1112) (Disable or Modify Tools, T1562.001) Kernel-level EDR process termination was confirmed through the BYOVD (Bring Your Own Vulnerable Driver) technique.



📌 Malware & Encryption


- The Gentlemen ransomware, upon execution, checks the active execution arguments among the 10 execution arguments and performs additional malicious actions.

  - When the "--system" or "--shares" execution argument is given, the parent process terminates and a new child process is created to carry out subsequent malicious activities.

  - Performs actions such as disabling Windows Defender, modifying the registry and scheduled tasks to maintain persistence, terminating processes and services, and deleting artifacts.

  - File encryption is performed using the X25519 + XChaCha20 algorithm, and 81 to 91 bytes of metadata are added at the end of the encrypted file.

  - In the Linux version, the ChaCha20 algorithm is used instead of XChaCha20 during the file encryption process, and actions such as listing and terminating virtual machines, as well as modifying the MOTD file, are performed.



✅ Recommended Threat Detection and Mitigation Actions:


- The Gentlemen group is characterized by exploiting vulnerabilities and executing multiple PowerShell-based commands during the attack process, so it is recommended to immediately apply the countermeasures proposed in this report.


- In particular, not only Fortinet but also systems exposed externally such as SonicWall and Oracle EBS are primary targets for initial intrusion, so it is essential to apply MFA to all VPNs for internal network access and externally exposed assets, and to implement countermeasures such as setting thresholds against brute force attacks.




🧑‍💻 Author: S2W TALON


👉 Contact us: https://s2w.inc/en/contact


*The full report is available upon request or with a subscription to the S2W platform.


Threat Intelligence Reports
Threat Group Profile: TeamPCP
2026.05.20
Previous
News Highlights
Weekly Darkweb: May 2026, Week 3
2026.05.26
Next
List