Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
A new group emerges with a swathe of victims and a devious new detection evasion technique.
On 9 September, a ransomware group calling itself The Gentlemen emerged as a potentially prolific threat actor, sharing the details of 32 victims from around the world on its darknet leak site.
The group’s victims were an eclectic bunch. Shifa Hospital in Oman and PC Chandra Jewellers from India. A financial research firm in Sweden and a mattress manufacturer in Morocco.
The only thing they have in common is that they were all unlucky enough to catch the attention of a group of technically proficient cyber criminals capable of using a very particular technique to bypass and even disable anti-virus and other IT security measures.
Unlike some groups, The Gentlemen does not have a manifesto on its site, nor anything else that might hint at who they are. No claims to be honest pen-testers doing their victims a favour, nor any promises that they are entirely financially motivated and can be trusted to delete stolen data when a ransomware is paid.
All there is on the gang’s leak site is details of its victims – and even that is light, with no information regarding data volumes or any evidentiary documents. Since those first 32 victims, two more have been added – one from Germany, the other from Nepal – and all, bar the last two, have had their data published, directly hosted on The Gentlemen’s leak site.
Oh, and its brand logo – every hacker needs one, these days – is a dapper gentleman in a suit, wearing a top hat, and with a waxed moustache. Because of course it is. The only other pieces of information are the gang’s Tox details and a QR code for the same.
But thanks to the work of Trend Micro, we know something about the group’s tactics, and that’s worth sharing.
Not so gentle men
Trend Micro began investigating The Gentlemen in August, just before it began its darknet posting spree and no doubt while it was targeting its first tranche of victims.
“This threat actor quickly established itself within the threat landscape by demonstrating advanced capabilities through their systematic compromise of enterprise environments,” Trend Micro said in a recent blog post.
“By adapting their tools mid-campaign – shifting from generic anti-AV utilities to highly targeted, specific variants – the attackers demonstrate versatility and determination, posing a significant threat to organisations regardless of their security defences.”
Trend Micro wasn’t able to exactly nail down the group’s initial access vector, but it was able to determine that The Gentlemen are fond of exploiting internet-facing services or taking advantage of compromised credentials. The group is careful, however, to take its time getting into a network, deploying tools such as Advanced IP Scanner for network reconnaissance and making the effort to map out network infrastructure and identify a victim’s crown jewels.
Aside from the care it takes, much of The Gentlemen’s TTPs are relatively standard, with one exception. The group exploits legitimate drivers to evade detection, deploying All.exe alongside ThrottleBlood.sys to manipulate a system at a kernel level, in turn giving The Gentlemen the ability to terminate security software processes at will.
“The tool operates by loading the vulnerable driver and using it to kill protected processes that would normally be shielded from termination,” Trend Micro said.
“Recognising the limitations of this initial approach, the threat actors shifted tactics and began conducting detailed reconnaissance of the endpoint protection mechanisms in place. This allowed them to identify specific security controls and tailor their methods accordingly.”
Next in the attack chain comes PowerRun.exe to elevate network privileges, and then an enhanced version of its evasion tool, Allpatch2.exe, to complete the process of detection evasion with tailored precision.
The Gentlemen then move laterally, maintaining persistence via living-off-the-land techniques, and the gradual weakening of security controls via careful editing of select registry settings. Data collection follows, then exfiltration.
Finally, the group’s ransomware terminates key services that might assist in forensic analysis and recovery operations. Before encrypting the victim’s data, The Gentlemen neutralise Windows Defender and rewrite firewall rules to maintain persistent access throughout any ransom negotiation.
“Overall, the campaign highlights the threat actors’ understanding of enterprise security architectures, demonstrated through adaptive countermeasures specifically tailored to overcome deployed security solutions, systematic data theft for double extortion, and the eventual successful deployment of ransomware using domain administrator privileges for maximum impact,” Trend Micro said.
So far, no Australian organisations have drawn the attention of this new group, but it’s only a matter of time. You can learn more about this group and its IOCs here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
