The Gentlemen ransomware: Dissecting a self-propagating Go encryptor
The Gentlemen ransomware, operated by Storm-2697, is a Go-based encryptor that combines robust Curve25519/XChaCha20 encryption with aggressive lateral movement capabilities. It utilizes multiple redundant propagation methods (PsExec, WMI, scheduled tasks, services) to maximize network compromise while employing extensive defense evasion techniques to hinder detection and recovery.
Authors: Microsoft Threat Intelligence
Source:
Microsoft
- filenamegentlemen.bmpDesktop wallpaper dropped to the %TEMP% directory
- filenameREADME-GENTLEMEN.txtRansom note dropped in scanned directories
- registry_keyHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GupdateSSystem-level persistence mechanism
- sha25622b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67The Gentlemen ransomware payload
- urlhxxps://x[.]com/TheGentlemen25X (Twitter) handle listed in the ransom note
- urlhxxp://tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad[.]onion/Tor leak site operated by The Gentlemen
Detection / HunterGoogle
What Happened
The Gentlemen ransomware is a malicious program that locks up computer files and demands payment to restore them. It affects Windows computers and is particularly dangerous because it can automatically spread itself to other computers on the same network. This matters because a single infected computer can quickly lead to an entire organization's network being compromised and their data stolen or locked. Organizations should ensure their antivirus is active, keep backups secure, and monitor for suspicious network activity.
Key Takeaways
- The Gentlemen is a Go-based Ransomware-as-a-Service (RaaS) operated by Storm-2697, featuring aggressive self-propagation capabilities.
- It uses a hybrid cryptographic scheme combining Curve25519 and XChaCha20, with size-based chunking to speed up the encryption of large files.
- The ransomware employs extensive defense evasion, including disabling Microsoft Defender, deleting shadow copies, and terminating numerous processes and services.
- Self-propagation is achieved through multiple redundant methods, including PsExec, WMI, scheduled tasks, services, and PowerShell remoting.
Affected Systems
- Windows
Attack Chain
The attack begins with the execution of the Go-based payload, requiring a hardcoded password. It escalates privileges via scheduled tasks and performs extensive defense evasion by disabling Defender, deleting shadow copies, and clearing logs. The ransomware then terminates locking processes and services before encrypting files using Curve25519 and XChaCha20. Finally, it attempts aggressive lateral movement using PsExec, WMI, scheduled tasks, and PowerShell remoting to infect other network hosts.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: Yes
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Microsoft Defender XDR, Microsoft Sentinel
The article provides KQL advanced hunting queries for Microsoft Defender XDR and Microsoft Sentinel to detect associated file hashes and web sessions.
Detection Engineering Assessment
EDR Visibility: High — The malware relies heavily on built-in Windows utilities (schtasks, wmic, vssadmin, PowerShell) and creates obvious artifacts like scheduled tasks, services, and registry run keys which are highly visible to EDR. Network Visibility: Medium — Lateral movement via SMB (PsExec), WMI, and WinRM generates network traffic, but the payload itself is encrypted and network discovery uses standard protocols. Detection Difficulty: Moderate — While the malware uses obfuscation (Garble), its noisy behavior (deleting shadow copies, terminating dozens of processes, aggressive lateral movement) creates numerous high-fidelity detection opportunities.
Required Log Sources
- Process Creation (Event ID 4688)
- PowerShell Operational (Event ID 4104)
- Service Creation (Event ID 7045)
- Scheduled Task Creation (Event ID 4698)
- File Creation (Event ID 11)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for the creation of scheduled tasks running as SYSTEM that execute binaries from atypical locations like C:\Temp. | Process Creation, Scheduled Task Logs | Privilege Escalation / Lateral Movement | Low |
| Look for sequences of commands disabling Windows Defender (Set-MpPreference) followed immediately by network discovery commands (sc config fdrespub). | PowerShell Operational Logs, Process Creation | Defense Evasion / Discovery | Low |
| Investigate the use of vssadmin.exe or wmic.exe to delete volume shadow copies. | Process Creation | Impact | Low |
Control Gaps
- Lack of network segmentation allowing SMB/WMI lateral movement
- Insufficient endpoint protection against tampering
Key Behavioral Indicators
- Creation of hidden SMB shares (share$)
- Execution of PsExec from C:\Temp
- Mass termination of database and backup services
- Modification of Run registry keys with paths to C:\Temp
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider isolating endpoints exhibiting mass file renaming or shadow copy deletion.
- Evaluate blocking the execution of PsExec and WMI commands originating from unexpected parent processes.
Infrastructure Hardening
- Consider disabling SMBv1 and restricting SMB/WMI lateral movement between workstations.
- Evaluate implementing Controlled Folder Access to protect critical data directories.
- Ensure tamper protection is enabled for endpoint security agents.
User Protection
- Consider enforcing multi-factor authentication for all remote access and administrative accounts.
- Evaluate restricting local administrator privileges to prevent unauthorized scheduled task creation.
Security Awareness
- Consider training staff to recognize and report unexpected desktop wallpaper changes or ransom notes.
MITRE ATT&CK Mapping
- T1059.001 - PowerShell
- T1053.005 - Scheduled Task
- T1547.001 - Registry Run Keys / Startup Folder
- T1562.001 - Disable or Modify Tools
- T1490 - Inhibit System Recovery
- T1486 - Data Encrypted for Impact
- T1047 - Windows Management Instrumentation
- T1569.002 - Service Execution
- T1021.002 - SMB/Windows Admin Shares
- T1021.006 - Windows Remote Management
Additional IOCs
- Urls:
hxxps://x[.]com/TheGentlemen25- X (Twitter) handle listed in the ransom note
- Registry Keys:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GupdateU- User-level persistence mechanism
- File Paths:
C:\Temp\psexec.exe- Staging path for embedded PsExec payload
- Command Lines:
- Purpose: Privilege escalation via scheduled task | Tools:
schtasks.exe| Stage: Privilege Escalation |schtasks /Create /RU SYSTEM /SC ONCE /TN gentlemen_system /TR - Purpose: Deletion of volume shadow copies | Tools:
vssadmin.exe| Stage: Impact |vssadmin delete shadows /all /quiet - Purpose: Clearing of Windows event logs | Tools:
wevtutil.exe| Stage: Defense Evasion |wevtutil cl System - Purpose: Enabling network discovery services for lateral movement | Tools:
sc.exe| Stage: Discovery |sc config fdrespub start=auto - Purpose: Lateral movement via WMI process creation | Tools:
wmic.exe| Stage: Lateral Movement |wmic /node: process call create
- Purpose: Privilege escalation via scheduled task | Tools:
- Other:
15CE8D5DB0BAC3BCBB1FA69F2E672CC54EFBEC7684DA792F3CBF8B007A9FEA1D16374560DFA5- Tox ID for threat actor contact.umc16h- Appended extension for encrypted files9VoAvR7G- Hardcoded execution password for the analyzed build