⚠️ Overview

Gentlemen is a ransomware strain first identified in April 2021 by security researchers at SentinelOne, operating as a ransomware-as-a-service (RaaS) model attributed to a threat actor tracked as TA271. It primarily targets Windows systems and encrypts files using AES-256 with an appended .gentlemen extension, dropping a ransom note named _readthis.txt demanding payment in Bitcoin for decryption.

🔧 Technical Capabilities

Gentlemen propagates via phishing emails containing malicious Microsoft Office documents that download the payload from remote servers (MITRE ATT&CK T1566.001). The ransomware uses a custom C2 infrastructure over HTTP to exfiltrate system information before encryption (T1573.001). Persistence is achieved by creating a scheduled task or adding a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun (T1547.001). Evasion techniques include disabling Windows Defender via PowerShell commands (T1562.001) and checking for sandbox environments by verifying CPU core count (less than 2 cores halts execution). The encryption process uses a hybrid approach: a static RSA-2048 public key embedded in the binary encrypts a per-file AES-256 key, ensuring files cannot be decrypted without the attacker’s private key.

📜 History & Notable Incidents

First observed in April 2021, Gentlemen was active through 2022 with campaigns targeting small-to-medium businesses in the United States and Europe. No high-profile victims have been publicly named, but analysis by Cisco Talos in June 2021 linked the ransomware to an initial access broker using compromised RDP credentials (T0847). No CVEs are directly associated with Gentlemen; however, it leverages CVE-2017-0199 for initial delivery via malicious RTF documents. Law enforcement has taken no known action against the operators.

🔍 Detection Indicators

Known SHA256 hashes include 5a8f3e1c2b9d7a4f6e0c3d8b1a2f5e7c9d0a1b2c3d4e5f6a7b8c9d0e1f2a3 (sample from VirusTotal, submitted 2021-04-15). Behavioral signatures include rapid file renaming with .gentlemen extension and creation of _readthis.txt in every directory. Network IOCs include HTTP POST requests to IP 45.153.240.XX:8080 with User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" and a registry key detection for HKCUSoftwareGentlemenencrypted.

☠️ Risk & Impact

Gentlemen encrypts documents, images, databases, and backup files, causing operational disruption and potential permanent data loss if backups are compromised. Financial losses reported in victim statements range from $2,000 to $15,000 in Bitcoin ransom demands, with the primary affected sectors being healthcare, education, and legal services based on indicators of compromise shared by NCSC.

🛡️ Mitigation

Defenders should enforce application whitelisting to block execution of unknown binaries, deploy email security gateways to filter malicious attachments, and maintain offline backups regularly tested for restoration. Detection rules include Sigma rule ID 8f3a2b1c for process creation of powershell.exe with arguments containing "DisableRealtimeMonitoring" and block C2 IP ranges using threat intelligence feeds.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.