The Gentlemen Ransomware Group Emerges with Custom Tools and Global Impact

A newly identified ransomware group tracked as “The Gentlemen” has emerged as a sophisticated threat actor following its discovery in August 2025, according to Trend Micro. Corralling the group's activities Trend Micro discovered the group was linked to attacks against 27 victims spanning 17 countries, with notable concentrations in Thailand and the United States. Industry targeting has been broad, with manufacturing leading at 18.5%, followed by construction (14.8), healthcare (11.1%), and insurance (11.1%). The group’s activities are heavily concentrated in Asia-Pacific, but extend across South America, North America, and the Middle East. Trend Micro’s analysis describes the group as methodical, displaying the capability to pivot tactics depending on the security solutions encountered, often customizing tools to bypass specific defenses. This adaptability suggests a level of preparation and maturity more aligned with systematic intrusion operations than opportunistic ransomware actors.

While initial access methods remain unconfirmed, Trend Micro assesses that intrusion likely began through exploitation of public-facing infrastructure, or abuse of compromised credentials. Once inside the network, reconnaissance was initiated using Advanced IP Scanner to survey connected assets. The group followed up with a batch script containing a series of enumeration commands such as "user admin[.]it /dom," "group 'domain admins' /dom," and "localgroup vmware" to collect user and group data, including those tied to virtualized environments. Attempts at defense evasion were first carried out through the use of a vulnerable signed driver, "ThrottleBlood.sys," executed by "All.exe," aimed at terminating protected processes. Where that failed, operators shifted tactics, deploying additional tools and modifying registry settings related to LSA authentication and RDP security layers. Trend Micro noted that rather than relying on a single set of bypass tools, the group adjusted its methods based on reconnaissance findings about specific endpoint protections deployed within victim environments. "Throughout this phase, the group demonstrated a targeted approach, adapting their techniques to the particular security solutions they encountered rather than relying solely on generic bypass methods."

The Gentlemen maintained persistence and moved laterally with tools including PsExec and AnyDesk. Additional network discovery was performed using "Nmap." Trend Micro identified, "Critically, the Nmap output path revealed the compromise of a FortiGate administrative account, with network scans originating from this privileged context. This suggests the threat actors had compromised critical network security infrastructure, potentially granting them extensive visibility and control over network traffic." Group Policy Objects (GPO) manipulation via "gpmc.msc" and "gpme.msc" was used to push domain-wide changes. The group executed encoded PowerShell to identify key Active Directory assets. Data staging and collection activities involved the use of WebDAV and the presence of zone identifiers in consolidated files within "C:\ProgramData\data" implied preparation for exfiltration. Data was exfiltrated using "WinSCP," providing the group with an encrypted channel to evade detection during data transfer. These techniques were supported by the group’s control over privileged credentials and domain-wide tooling, which enabled them to orchestrate a coordinated and persistent compromise.

Ransomware deployment was executed through the NETLOGON share across the domain using a password-protected binary. The payload disabled security features such as Windows Defender via PowerShell, altered firewall rules to maintain RDP access, and appended encrypted files with the extension ".7mtzhh". Process and service termination commands targeted backup and database software, including a wide array of known services. The threat actors also deleted forensic artifacts such as RDP logs, Prefetch data, and shadow copies to inhibit recovery. Additional actions included exclusion rules added to Windows Defender to prevent detection, along with a cleanup routine that removed the binary and evidence post-encryption. Trend Micro describes the operation as sophisticated, with tailored tooling, secure exfiltration methods, and a multi-phase strategy that reflects an understanding of enterprise network defenses and how to subvert them systematically.